38 Diversity in Zero Days

52 By Any Other Name

53 The Insider Threat54 Infographic: Over Half a Billion Personal

Information Records Stolen or Lost in 2015

55 Privacy Regulation

and the Value of Personal Data

56 Reducing the Risk

57 The Underground Economyand Law Enforcement57 Business in the Cyber Shadows58 Stand and Deliver59 Global Issues, Local Attacks60 Botnets and the Rise of the Zombies60 The Dyre Consequences and LawEnforcement

35 Virus Ratio in Email by Industry

& PRIVACY

49 Top Sub Level Sectors Breached

by Number of IdentitiesExposed and Incidents50 Infographic: Facts About theAttack on Anthem51 Top 10 Sectors Breachedby Number of Incidents51 Top 10 Sub-Sectors Breachedby Number of Incidents51 Top 10 Sectors Breachedby Number of Identities Exposed51 Top 10 Sub-Sectors Breachedby Number of Identities Exposed52 Top Sectors Filtered for Incidents,Caused by Hacking and Insider Theft52 Top Sectors Filtered for Identities Exposed,Caused by Hacking and Insider Theft

37 TARGETED ATTACKS

53 Top 10 Types of Information Exposed

38 Zero-Day Vulnerabilities

53 Top Causes of Data Breach by Incidents

38 Zero-Day Vulnerabilities, Annual Total

39 Infographic: A New Zero-Day VulnerabilityDiscovered Every Week in 2015

INTRODUCTIONSymantec has established one of the mostcomprehensive sources of Internet threat data in theworld through the Symantec Global Intelligence Network,which is made up of more than 63.8 million attacksensors and records thousands of events per second.This network monitors threat activity in over 157 countriesand territories through a combination of Symantecproducts and services, such as Symantec DeepSightIntelligence, Symantec Managed Security Services,Norton consumer products, and other third-party datasources.In addition, Symantec maintains one of the worlds most comprehensive vulnerabilitydatabases, currently consisting of more than 74,180 recorded vulnerabilities (spanning morethan two decades) from over 23,980 vendors representing over 71,470 products.Spam, phishing, and malware data is captured through a variety of sources, including theSymantec Probe Network, a system of more than five million decoy accounts, Symantec.cloud, and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology, is able to detect new and sophisticated targetedthreats before they reach customers networks. Over nine billion email messages areprocessed each month and more than 1.8 billion web requests filtered each day across 13data centers. Symantec also gathers phishing information through an extensive anti-fraudcommunity of enterprises, security vendors, and more than 52 million consumers and 175million endpoints.Symantec Website Security secures more than one million web servers worldwide with100 percent availability since 2004. The validation infrastructure processes over six billionOnline Certificate Status Protocol (OCSP) look-ups per day, which are used for obtaining therevocation status of X.509 digital certificates around the world. The Norton Secured Seal isdisplayed almost one billion times per day on websites in 170 countries and in search resultson enabled browsers.These resources give Symantec analysts unparalleled sources of data with which to identify,analyze, and provide informed commentary on emerging trends in attacks, malicious codeactivity, phishing, and spam. The result is the annual Symantec Internet Security ThreatReport, which gives enterprises, small businesses, and consumers essential information tosecure their systems effectively now and into the future.

2016 Internet Security Threat Report

TABLE OF CONTENTS

2016 Internet Security Threat Report

EXECUTIVE SUMMARYSHARETHIS

Introduction

Symantec discovered more than 430 million new unique pieces of malware in2015, up 36 percent from the year before. Perhaps what is most remarkableis that these numbers no longer surprise us. As real life and online becomeindistinguishable from each other, cybercrime has become a part of our dailylives. Attacks against businesses and nations hit the headlines with suchregularity that weve become numb to the sheer volume and acceleration ofcyber threats. Most threat reports only scratch the surface of the threat landscape, whereasthe breadth of Symantecs data enables the Internet Security Threat Report(ISTR) to examine multiple facets, including targeted attacks, smartphonethreats, social media scams, and Internet of Things (IoT) vulnerabilities, as wellas attackers tactics, motivations, and behaviors. While there is much to belearned from this comprehensive view into the threat landscape, the followingare six key findings and trends from 2015.A New Zero-Day Vulnerability Was DiscoveredSHARETHISon Average Each Week in 2015Advanced attack groups continue to profit frompreviously undiscovered flaws in browsersand website pluginsIn 2015, the number of zero-day vulnerabilities discoveredmore than doubled to 54, a 125 percent increase from theyear before. Or put another way, a new zero-day vulnerability was found every week (on average) in 2015. In2013, the number of zero-day vulnerabilities (23) doubledfrom the year before. In 2014, the number held relativelysteady at 24, leading us to conclude that we had reached aplateau. That theory was short-lived. The 2015 explosion inzero-day discoveries reaffirms the critical role they play inlucrative targeted attacks.Given the value of these vulnerabilities, its not surprising that a market has evolved to meet demand. In fact,at the rate that zero-day vulnerabilities are being discovered, they may become a commodity product. Targetedattack groups exploit the vulnerabilities until they are

publicly exposed, then toss them aside for newly discovered vulnerabilities. When The Hacking Team was exposedin 2015 as having at least six zero-days in its portfolio, itconfirmed our characterization of the hunt for zero daysas being professionalized.Vulnerabilities can appear in almost any type of software,but the most attractive to targeted attackers is softwarethat is widely used. Again and again, the majority of thesevulnerabilities are discovered in software such as InternetExplorer and Adobe Flash, which are used on a dailybasis by a vast number of consumers and professionals.Four of the five most exploited zero-day vulnerabilities in2015 were Adobe Flash. Once discovered, the zero daysare quickly added to cybercriminal toolkits and exploited.At this point, millions will be attacked and hundreds ofthousands infected if a patch is not available, or if peoplehave not moved quickly enough to apply the patch.

TABLE OF CONTENTS

Over Half a Billion Personal Records

Were Stolen or Lost in 2015

2016 Internet Security Threat Report

SHARETHIS

Spear-Phishing Campaigns Targeting

Employees Increased 55 Percent in 2015

SHARETHIS

More companies than ever are not reporting

the full extent of their data breaches

Cyber attackers are playing the long game

against large companies

At the close of 2015, the world experienced the largest data

breach ever publicly reported. An astounding 191 millionrecords were exposed. It may have been the largest megabreach, but it wasnt alone. In 2015, a record-setting totalof nine mega-breaches were reported. (A mega-breach isdefined as a breach of more than 10 million records.)

In 2015, a government organization or a financial company

targeted for attack once was most likely to be targetedagain at least three more times throughout the year.Overall, large businesses that experienced a cyber attacksaw an average of 3.6 successful attacks each.

The total reported number of exposed identities jumped

23 percent to 429 million. But this number hides a biggerstory. In 2015, more and more companies chose not toreveal the full extent of the breaches they experienced.Companies choosing not to report the number of recordslost increased by 85 percent. A conservative estimate bySymantec of those unreported breaches pushes the realnumber of records lost to more than half a billion.The fact that companies are increasingly choosing to holdback critical details after a breach is a disturbing trend.Transparency is critical to security. While numerous datasharing initiatives are underway in the security industry,helping all of us improve our security products andpostures, some of this data is getting harder to collect.

Major Security Vulnerabilities in Three Quarters

SHARETHISof Popular Websites Put Us All at RiskWeb administrators still struggle to stay currenton patchesThere were over one million web attacks against peopleeach and every day in 2015. Many people believe thatkeeping to well-known, legitimate websites will keep themsafe from online crime. This is not true. Cybercriminalscontinue to take advantage of vulnerabilities in legitimatewebsites to infect users, because website administratorsfail to secure their websites. More than 75 percent of alllegitimate websites have unpatched vulnerabilities. Fifteenpercent of legitimate websites have vulnerabilities deemedcritical, which means it takes trivial effort for cybercriminals to gain access and manipulate these sites for theirown purposes. Its time for website administrators to stepup and address the risks more aggressively.

In the last five years, we have observed a steady increase

in attacks targeting businesses with less than 250employees, with 43 percent of all attacks targeted at smallbusinesses in 2015, proving that companies of all sizes areat risk.Its not just Fortune 500 companies and nation states atrisk of having IP stoleneven the local laundry service isa target. In one example, an organization of 35 employeeswas the victim of a cyber attack by a competitor. Thecompetitor hid in their network for two years stealingcustomer and pricing information, giving them a significant advantage. This serves as a clear warning that allbusinesses are potentially vulnerable to targeted attacks.In fact, spear-phishing campaigns targeting employeesincreased 55 percent in 2015. No business is without risk.Attackers motivated purely by profit can be just as technically sophisticated and well-organized as any nationstate-sponsored attackers. Take, for example, the Butterflygang, who steal information to use in stock manipulation.

Ransomware Increased35 Percent in 2015

SHARETHIS

Cyber criminals are using encryption as a weapon to

hold companies and individuals critical data hostageRansomware continues to evolve. Last year, we saw Crypto-ransomware (encrypting files) push the less damaginglocker-style ransomware (locking the computer screen) outof the picture. Crypto-style ransomware grew 35 percentin 2015. An extremely profitable type of attack, ransomware will continue to ensnare PC users and expand to anynetwork-connected device that can be held hostage for aprofit. In 2015, ransomware found new targets and movedbeyond its focus on PCs to smart phones, Mac, and Linuxsystems. Symantec even demonstrated proof-of-conceptattacks against smart watches and televisions in 2015.

TABLE OF CONTENTS

Symantec Blocked 100 Million Fake Technical

SHARETHISSupport Scams in 2015Cyber scammers now make you call themto hand over your cashWhile ransomware continues to grow as a threat, it is notthe only threat that people face. As people conduct moreof their lives online, attackers are finding new ways to lurevictims. Fake technical support scams, first reported bySymantec in 2010, have evolved from cold-calling unsuspecting victims to the attacker fooling victims into callingthem directly. Attackers trick people with pop-ups that alertthem to a serious error or problem, thus steering the victimto an 800 number, where a technical support representative attempts to sell the victim worthless services. In 2015,Symantec blocked 100 million of these types of attacks.Attackers continue to find ways to profit from what canbe stolen online. Last year, Netflix expanded into newcountries, attracting the attention of attackers. Symantecresearchers discovered logins and passwords to legitimate Netflix accounts being sold on the black market. Theaccount access information was stolen via phishing ormalware. Of course, reselling account access on the blackmarket is not a new phenomenon. Symantec continues tosee stolen hotel loyalty, airline frequent flyer, and gamingaccounts advertised for sale on the black market.

2016 Internet Security Threat Report

TABLE OF CONTENTS

2016 Internet Security Threat Report

BIG NUMBERS

Total Identities Exposed

BREACHES

Average IdentitiesExposed per Breach

Total Breaches2013

2014

2015

253

312

318

+23%

+2%

Breaches WithMore Than 10 MillionIdentities Exposed2013

2014

2013

2014

2015

552M

348M

429M

-37%

+23%

2013

2014

2015

2.2M

1.1M

1.3M

-49%

+21%

Median IdentitiesExposed per Breach

2015

2013

2014

2015

6,777

7,000

4,885

-50%

+125%

+3%

-30%

EMAIL THREATS, MALWARE AND BOTS

Overall Email Spam Rate2013

2014

2015

66%

60%

53%

-6%pts

-7%pts

66 60 53

New Malware Variants

(Added in Each Year)

Email Phishing Rate (Not Spear Phishing)

2013

2014

2015

1 in 392

1 in 965

1 in 1,846

2014

2015

1 in 196

1 in 244

1 in 220

2015

317M

431M

+36%

CryptoRansomware Total

Email Malware Rate (Overall)

2013

2014

Number of Bots2013

2014

2015

2.3M

1.9M

1.1M

-18%

-42%

2014

2015

269K

362K

+35%

AveragePer Day

AveragePer Day

737

992

TABLE OF CONTENTS

2016 Internet Security Threat Report

MOBILE

WEB

New MobileVulnerabilities

Web Attacks Blocked per Day

2013

2014

2015

127

168

528

+32%

+214%

2013

2014

2015

569K

493K

1.1M

-13%

+117%

Scanned Websites with Vulnerabilities ...

New Android Mobile

Malware Families2013

2014

2015

57

46

18

-19%

-61%

2014

2015

3,262

2,227

3,944

-32%

+77%

2014

2015

77%

76%

78%

-1% pts

+2% pts

77 76 78

... Percentage of Which Were Critical

New Android Mobile

Malware Variants2013

2013

2013

2014

2015

16%

20%

15%

+4% pts

-5% pts

16 20 15

Websites Found with Malware

VULNERABILITIES

2013

2014

2015

1 in 566

1 in 1,126

1 in 3,172

New Vulnerabilities2013

2014

2015

6,787

6,549

5,585

-4%

-15%

Zero-day Vulnerabilities

SPEAR-PHISHING(EMAIL TARGETED ATTACKS)Spear-PhishingEmails per Day

2015

2013

24

54

83

73

46

+4%

+125%

-12%

-37%

2013

2014

23

2014

2015

TABLE OF CONTENTS

2016 Internet Security Threat Report

MOBILE DEVICES & THE INTERNET OF THINGS

MOBILE DEVICES &

MOBILETHE INTERNET OFDEVICESTHINGS& THEINTERNETOFTHINGSSMARTPHONESAND MOBILE DEVICESSmartphones are an increasinglyattractive target for online criminals.As a result, they are investing inmore sophisticated attacks thatare effective at stealing valuablepersonal data or extorting moneyfrom victims. Although Android usersremain the main target, 2015 saweffective attacks on Apple devices aswell, and iOS devices did not need tobe jail-broken to be compromised.SHARETHIS

One Phone Per Person

The world bought more than 1.4 billion smartphones in 2015, up10 percent from the 1.3 billion units sold in the previous year,according to IDCs Worldwide Quarterly Mobile Phone Tracker(January 27, 2016). Five out of six new phones were runningAndroid, with one in seven running Apples iOS operatingsystem (Smartphone OS Market Share, 2015, Q2). One mobilemanufacturer, Ericsson, predicts there could be as many as 6.4billion smartphone subscriptions by the end of 2020, almost oneper person.At the same time, high-end phones and tablets have powerfulprocessors and with 4G network, they have high-bandwidthconnectivity. They also contain valuable personal information.In 2015, Apple Pay launched in more countries around theworld. With Samsung Pay and Android Pay also competing tomanage the cards in your wallet, other mobile payment systemsare likely to follow. All of this makes smartphones very attractive to criminals.

10

TABLE OF CONTENTS

2016 Internet Security Threat Report

MOBILE DEVICES & THE INTERNET OF THINGS

Cross-Over ThreatsWith many app stores, users are able to browse, purchase, andremotely install apps from their desktop, providing a uniqueopportunity for a cross-over of threats. In one example withGoogle Play, customers can browse the Play Store from theircomputer using a normal web browser, installing apps directlyonto their phone. Recent examples of some Windows malwarehave exploited this by stealing browser cookies for Google Playsessions from the infected desktop computer and using thesestolen cookies (essentially the users credentials), impersonating the user to remotely install apps onto the victims phonesand tablets without their knowledge or consent.

Cumulative Android Mobile Malware Families

TT The number of Android malware families added in 2015 grew by 6 percent,

compared with the 20 percent growth in 2014.

350300

277

295

231

250200

174

In 2012, IOS.Finfish had been the first example of a malicious

iOS app to be discovered in the Apple Store. Finfish was able tosteal information from a compromised device. OSX.Wirelurkeremerged in 2014, which used an attack involving USB connections to a Mac or PC, potentially enabling apps to be installed onnon-jailbroken iOS devices.However, in 2015, attacks using XcodeGhost and YiSpecter wererevealed not to require vulnerabilities, or to be jail-broken, inorder to compromise an iOS device. We will be taking a closerlook at these and other mobile threats later in this section.

Mobile Vulnerabilities by Operating System

150100

The number of mobile vulnerabilities has increased every year

over the past three years. Unlike Android devices, iOS vulnerabilities have been a critical part of gaining access to an iOSdevice, especially for jail-breaking. Jail-breaking enables a userto install apps that are not authorized on the Apple Store andbypasses the integral security of iOS. It is much more difficult tocompromise a non-jailbroken device, as this typically requiresan app to be installed by downloading it from the Apple Store.Apple is well-known for its stringent screening processes, whichis why the number of malicious iOS apps is so much smallerthan for Android.

TT Vulnerabilities on the iOS platform have accounted for the greatest number

71

of mobile vulnerabilities in recent years, with research often fueled by the

Cumulative Android Mobile Malware Variants

TT The volume of Android variants increased by 40 percent in 2015, compared

60

with 29 percent growth in the previous year.

504030

16

13,783

14

20

13

10

11

161

THOUSAND

12

9,839

10

iOS

7,612

86

5672011

2012

<1% <1%

Blackberry OS

1 <1%

WindowsPhone

Android Attacks Become More Stealthy

4,350

42

Android

2013

2014

2015

Android malware is becoming stealthier. For example, malware

authors started to obfuscate code to bypass signature-basedsecurity software. Additionally, before they begin their attacks,some malware can now check to see if it is running on realphones or the kind of emulators or sandboxes that securityresearchers use.

11

TABLE OF CONTENTS

2016 Internet Security Threat Report

MOBILE DEVICES & THE INTERNET OF THINGS

The number of malware attacks against Android fluctuated during 2015. In Q1, Symantec blocked approximately 550attacks each day, the highest period of the year. This fell toapproximately 272 per day by Q3, rising again to 495 by the endof Q4.

Android Malware Volume

TT There were more than three times as many Android apps classified as

containing malware in 2015 than in 2014, an increase of 230 percent.

Top Ten Android Malware

related to variants of Android.Lotoor, which is generic detection for hacking

tools that can exploit vulnerabilities in Android in order to gain root privilegeaccess on compromised Android devices.

Rank

Malware

Percentage

Android.Lotoor

36.8%

Android.RevMob

10.0%

Android.Malapp

6.1%

Android.Fakebank.B

5.4%

Android.Generisk

5.2%

Android.AdMob

3.3%

Android.Iconosis

3.1%

Android.Opfake

2.7%

Android.Premiumtext

2.0%

10

Android.Basebridge

1.7%

How Malicious Video Messages Could

Lead to Stagefright and Stagefright 2.0No matter how quickly Google patches critical vulnerabilities inthe Android OS, the speed at which end-users receive updates isdependent on their device manufacturers, and sometimes this cantake longer. This was highlighted when on July 2015, seven vulnerabilities were patched that could allow attackers to compromiseaffected devices by simply sending them a malicious multimediamessage (MMS); all the intended victim had to do was to look at themalicious message, triggering an exploit.The seven vulnerabilities involved were collectively known asthe Google Stagefright Media Playback Engine Multiple RemoteCode Execution Vulnerabilities, (CVE-2015-1538, CVE-2015-1539,CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828and CVE-2015-3829), and all were related to an Android componentknown as libStageFright, which handled media playback. JoshuaDrake, from Zimperium zLabs, reported the vulnerabilities toGoogle in April and May 2015, raising further concerns that whileGoogle had provided patches to its partners, many manufacturerstook much longer providing patches to protect their customers. Theseverity of these vulnerabilities was compounded by the fact thatdespite the availability of a patch from Google, users remained atrisk until carriers and manufacturers rolled out their own patches.This can often take weeks or months, and many older devices maynever have a patch pushed out to them at all.However, Google was keen to point out that devices with Android4.0 and higher (approximately 95% of active Android devices),have protection against a buffer overflow attack built-in, using atechnology called Address Space Layout Randomization, (ASLR).Additionally, Android users were able to turn-off the automaticretrieval of multimedia messages through the built-in Messagingapplication, as well as through Google Hangouts.Whilst this afforded partial mitigation, it could not prevent thevulnerabilities from being exploited if a malformed or maliciousmultimedia message was downloaded and opened.In October 2015, two more Android vulnerabilities (CVE-20156602 and CVE-2015-3876), similar to the original Stagefright bug,were disclosed. Again, if exploited they could allow an attacker togain control of a compromised device, this time when the intendedvictim viewed a preview of an .mp3 or .mp4 file. By creatingmalicious audio or video files, attackers could entice a user topreview a song or video on an unpatched Android device.Google had previously patched the libStageFright library so itno longer automatically processed such messages; however, itremained possible for attackers to exploit libStageFright throughthe mobile browser. Dubbed Stagefright 2.0, these new vulnerabilities could also be exploited through man-in-the-middle attacksand through third-party applications that still used Stagefright.Discovered and reported in August, the patches for these newvulnerabilities were included in Googles October Monthly SecurityUpdate.

12

TABLE OF CONTENTS

2016 Internet Security Threat Report

MOBILE DEVICES & THE INTERNET OF THINGS

Android Users under Fire with Phishing

and RansomwareBesides familiar tricks such as hiding malicious code insideostensibly legitimate apps, or being disguised as somethingmore useful, attackers are using more sophisticated techniquesto make money from their victims. For example, Symantecresearchers uncovered a new Android phishing Trojan that tricksusers into entering their banking credentials by popping up afake login page on top of legitimate banking apps. Similarly, thelatest Android ransomware copies Googles design style to makeit appear more legitimate and intimidating when it displays fakeFBI warnings on users lockscreens. We have also seen phoneransomware start to encrypt files, such as pictures, rather thansimply change the phones access PIN.

Ransomware Goes Mobile

TT Imagine the frustration of a user who downloads a cool new app to their

phone only to find the device locked with an FBI warning on the homescreen when they try to log in.

TT They have two options: pay a fine and hope that the attackers unlock the

phone or give up access to precious photos, contacts, and memories.

Apple iOS Users Now More at Risk than Ever

Thanks to Apples tight control over its app store and operatingsystem, threats to iPhones and iPads have been infrequent andlimited in scale. This changed in 2015.TTIn

2015, we identified nine new iOS threat families,

compared to four in total previously.

TTBootlegged

developer software, known as XcodeGhost,

infected as many as 4,000 apps.

TTThe

YiSpecter malware bypassed the app store altogether by

using the enterprise app provisioning framework.

TTResearchers

found Youmi embedded in 256 iOS apps. This

software is used in apps to display advertising, but alsosends personal information to a remote location withoutusers consent.

TTVulnerabilities

in Apples AirDrop wireless file transfer

system could allow an attacker to install malware on anApple device.

iOS App Developers Haunted by XcodeGhost

As Apple sells more and more iPads and iPhones, we believe thatcriminals will increasingly target them, drawn in part by thehigher disposable income (on average) of their owners. However,owners and Apple users should no longer assume that Appledevices are immune from attack. In September 2015, malwarewas discovered in a number of iOS applications in China and wasdiscovered in a number of legitimate Apple Store apps, includingWeChat, a popular IM application. The problem was that theseapps were not specifically designed to be malicious, but rathertheir developers had been compromised with malware that wasembedded into the apps they were developing.The malicious code, known as XcodeGhost (detected asOSX.Codgost), had been discovered in certain unofficial versionsof Apples integrated development environment, Xcode. Developers of iOS applications that used these infected versions of Xcodewere unknowingly allowing malicious code to be inserted intotheir own official iOS applications, putting their own users at risk.If a user downloads and installs an infected app, XcodeGhostuploads information about the device to its command andcontrol (C&C) server. The attacker would then be able to issuecommands through the C&C server to perform actions including:

13

TABLE OF CONTENTS

2016 Internet Security Threat Report

MOBILE DEVICES & THE INTERNET OF THINGS

TTCreating

fake phishing alerts to steal the victims username

and password

TTReading

and writing data on the devices clipboard, which

could be used to uncover passwords copied from a passwordmanagement tool

TTHijacking

the browser to open specific URLs, which could

lead to further exploits

It has been estimated that hundreds of iOS apps on the Apple

App Store were infected, potentially affecting hundreds ofthousands of users, particularly in China, where the WeChat appis particularly popular.This threat did not require a jailbroken iOS device, as with otheriOS threats previously, making it a new and rather worryingdevelopment in the mobile threat landscape. Symantec blocked33 attacks in 2015, between September and December. Moreover,it wasnt just Apples iOS that came under fire in 2015. Mac OS X,the companys popular desktop operating system, also saw a risein vulnerabilities, exploits, and threats during the year.

YiSpecter Shows How Attackers Now Have iOS

Firmly in Their SightsIn 2015, we saw an escalation in threats targeting the iOSplatform, including YiSpecter (detected as IOS.Specter), whichwas also discovered in October 2015. YiSpecter was specifically designed to target Chinese speakers and has affected mainlyusers in East Asia, including China and Taiwan.YiSpecter is a Trojan horse that is able to exploit both jailbroken and non-jailbroken iOS devices; it essentially provides aback door onto the compromised device and installs adware.The Trojan allows an attacker to accomplish a range of tasks,including uninstalling apps, downloading new fraudulent apps,and forcing other apps to display adverts.

Targeting Non-Jailbroken iOS Devices

and Certificate AbuseYiSpecter was the first iOS threat that took advantage of Applesenterprise app provisioning framework to compromise non-jailbroken devices. The framework is used by many businesses tolegitimately deploy private apps to their workforce withouthaving to make them publicly available on the official App Store.Apps are built and signed with enterprise certificates, and donot need to be vetted by Apple before being distributed outsideof the App Store. This also affords more scope for businessesto develop apps with features that would otherwise be rejectedby Apple, but could still be signed and deployed legitimatelythrough the framework.However, as demonstrated with YiSpecter, iOS enterprise certificates can also be used to package and sign their malware. Its notknown exactly how the attackers gained access to certificates,but its possible that they registered with Apple as an enterprise,

paying the necessary fees and following the vetting procedure.

Alternatively, they may have been able to steal legitimate certificates from an already-registered developer or by partneringwith one.Once the attackers had access to a valid enterprise certificate,they were able to create, sign, and distribute their maliciousapps, potentially to any iOS device, without any further intervention from Apple. Of course, when Apple learns of themisuse of any enterprise certificate, it can be instantly revoked,rendering any apps signed by it useless. Enterprise-signed appscan generally only be installed once the user accepts the requestto trust the app or developer. From experience, we know thatasking the user whether they trust an app or developer is rarelyan effective security measure, but it is one last line of defensethat needs to be crossed before the malware can be installed.

Exploiting Apples Private APIs

One of the reasons that YiSpecter included more advanced functionality was because it also used Apples own private APIs toperform activities that standard iOS apps cannot. These privateAPIs are reserved for Apples own apps to be able to performa range of system-level actions. Other iOS developers are notsupposed to use these APIs in their apps, and any third-party apps that do so are rejected from the Apple App Store. Ofcourse, YiSpecter is able to circumvent the official App Store,instead relying on unofficial distribution channels to spread themalware. As a result, the threat is able to take advantage of theprivate APIs for its own purposes.

Cross-Platform Youmi Madware Pilfers

Personal Data on iOS and AndroidIn October 2015, Apple pulled as many as 256 apps from its AppStore for apparently violating the companys privacy guidelines.The apps had used third-party advertising technology from acompany called Youmi (detected as Android.Youmi), which wassecretly being used to access private information, includingApple ID email addresses and International Mobile StationEquipment Identity (IMEI) numbers.Soon after this, the same advertising library was discovered in anumber of Android apps, where it was being used to perform arange of actions that could also compromise the users privacy,including harvesting their GPS location and phone number, aswell as downloading additional, potentially unwanted applications.

Distinguishing MadwareAdware and its mobile counterpart, mobile Adware (or madware),has been around for many years and is a popular way of financingfree apps, where the app developer is paid a fee for each of theadverts presented to their users. Many people are happy relinquish a small area of the screen for advertising in exchange for afree app; however, this may sometimes happen without consent

14

TABLE OF CONTENTS

2016 Internet Security Threat Report

MOBILE DEVICES & THE INTERNET OF THINGS

or be particularly aggressive. Symantec recorded a 77 percent

rise in apps containing unwanted madware.Ad-blocking tools have grown in popularity as a way to avoidthis, and by blocking mobile ads, they also help to reduce mobiledata costs incurred with madware traffic and minimize thenumber of on-screen ads. Furthermore, such software can alsohelp to improve the security posture of a device by blockingpotentially unwanted madware that may be installed withoutthe users permission or knowledge.

App Analysis by Symantecs Norton Mobile Insight

TT Symantec analyzed 71 percent more apps in 2015 and more than three

times as many (230 percent) more were classified as malicious. A 30

percent rise in grayware was owing in large part to a 77 percent rise inapps containing unwanted madware.

Total Apps Analyzed

Total Apps Classified

as Malware

Total Apps Classified

as GraywareTotal GraywareFurther Classified asMadware

2013

2014

2015

6.1

6.3

10.8

Million

Million

Million

0.7

1.1

3.3

Million

Million

Million

2.2

2.3

3.0

Million

Million

Million

1.2

1.3

2.3

Million

Million

Million

Protecting Mobile Devices

We recommend that people and employers treat mobile deviceslike the small, powerful computers that they are and protectthem accordingly, including:TTAccessTTData

control, including biometrics where possible.

loss prevention, such as on-device encryption.

TTAutomatedTTRemote

device backup.

find and wipe tools, in the event of a lost device.

TTRegular

updating. For example, the latest version of

Android, codenamed Marshmallow (version 6.0), waslaunched in October and includes a number of featuresdesigned specifically to thwart attackers. According toStatista, in October 2015, KitKat (version 4.4) was still themost widely used version of Android at 38.9 percent, andLollipop (version 5.0) accounted for 15.6 percent.

TTRefrain

from downloading apps from unfamiliar sites and

only install apps from trusted sources.

TTDont

jailbreak devices. Jailbroken devices are often more

susceptible to security issues.

TTPay

particular attention to permissions requested by an app.

TTUpdate

apps as often as possible, or if a suspicious app is

identified, delete it and wait for a new version to be madeavailable.

TTChange

your Apple ID password, or your Google Play

password, if you suspect your account has been compromised. This advice extends to safeguarding accountcredentials on any third-party app store.

Malware Definition

Programs and files that are created to do

harm. Malware includes computer viruses,worms, and Trojan horses.

TTWatch

TTUntil

Grayware Definition

Programs that do not contain viruses

and that are not obviously malicious, butthat can be annoying or even harmfulto the user, (for example, hacking tools,accessware, spyware, adware, dialers, andjoke programs).

TTAdditional

Madware Definition

Aggressive techniques to place advertising

in your mobile devices photo albums andcalendar entries and to push messages toyour notification bar. Madware can even goso far as to replace a ringtone with an ad.

out for any suspicious emails or push notifications

to your device asking for your credentials, or any otherpersonally identifying information.a patch is applied, proceed cautiously when using yourmobile browser to preview unsolicited audio and video files.

TTAndroid

users are advised to apply any security updates

issued by their carrier or device manufacturer as theybecome available.mobile security solutions can also help safeguardagainst malicious software, and enterprises should considermobility management tools that can help secure andcontrol mobile devices within an organization.

15

TABLE OF CONTENTS

2016 Internet Security Threat Report

MOBILE DEVICES & THE INTERNET OF THINGS

Looking AheadWe predict that mobile threats will continue to proliferate in2016. We may soon see PC-like exploit kits for phones commercialized on the black market.At the same time, Apple and Google are working hard to securetheir operating systems and wider ecosystems. In particular,we anticipate improvements in the techniques used to validateand sign applications, as well as in application delivery. Phoneusers will become accustomed to frequent on-by-default application and operating system updates, and the need for securitysoftware on their mobile devices.This is perhaps an indicator of progress, rather than a cause fordespair. It suggests that security researchers, operating system,developers, and app writers are, in fact, paying more attentionto mobile security by identifying and fixing more problems.Although we expect mobile devices to come under growingattack over the next year, there is also hope that with the rightpreventative measures and continuing investment in security,users can achieve a high level of protection against them.

THE INTERNET OF THINGS

Internet-connected things aremultiplying rapidly. We saw manyproof-of-concept and real-worldattacks in 2015, identifying seriousvulnerabilities in cars, medicaldevices, and more. Manufacturersneed to prioritize security toreduce the risk of serious personal,economic, and social consequences.SHARETHIS

Billions and Billions of Things

The Internet of Things has already arrived. We only have to lookaround at our own environment to see the impact it is having on oureveryday lives. The average smart phone now has more computingpower than the Space Shuttle; a smartwatch now downloadsupdates from the Internet; the point-of-sale terminals at a coffeeshop are all connected to the companys central financial system;many cars now have satellite navigation and Bluetooth connections;an Internet-connected thermostat can control the temperature inour homes.In the USA, for example, there are 25 online devices per 100 inhabitants, and that is just the beginning. Gartner forecasts that 6.4billion connected things will be in use worldwide in 2016, and will

reach 20.8 billion by 2020 (Gartner, Inc., press release, November

10, 2015).If the Internet of Things is to deliver the promised $2 trillioneconomic benefit, designers and manufacturers have to addressfundamental security challenges. The prospects, however, are notgood.

The Insecurity of Things

Over the last year, Symantec has seen an increase in proofof-concept attacks and growing numbers of IoT attacks in thewild. In numerous cases, the vulnerabilities were obvious andall too easy to exploit. IoT devices often lack stringent securitymeasures, and some attacks are able to exploit vulnerabilities inthe underlying Linux-based operating systems found in severalIoT devices and routers. Many issues stem from how securelyvendors implemented mechanisms for authentication andencryption (or not). Here are some examples:Fiat Chrysler recalled 1.4 million vehicles afterresearchers demonstrated a proof-of-concept attack wherethey managed to take control of the vehicle remotely. In theUK, thieves hacked keyless entry systems to steal cars.

TTCars.

home devices. Millions of homes are vulnerable to

cyberattacks. Symantec research found multiple vulnerabilities in 50 commercially available devices, including a smartdoor lock that could be opened remotely online without apassword.

We expect to see more stories like this in the coming year. If a

device can be hacked, it likely will be. In addition, where thereare proof-of-concept attacks, real attacks invariably follow. Wemay even expect to see IoT devices as the preferred route forattacking an organization, and potentially the most difficult forincident response staff to recognize and remove.Given the present poor state of security on connected devices,they will present an increasingly attractive target to criminalswho look for easy targets in the same way that burglars preferhouses without alarms or resident dogs.

16

TABLE OF CONTENTS

2016 Internet Security Threat Report

MOBILE DEVICES & THE INTERNET OF THINGS

Infographic: Peek into the Future: The Risk of Things

Infographic: Peek into the Future: The Risk of Things

Peek into the Future:

The Risk of Things 20.8 billion

Internet-connected things

201918171615141312

(predicted)

Numbers in billions

The insecurity of things

Medical devices. Researchers have found potentially deadly vulnerabilities indozens of devices such as insulin pumps and implantable defibrillators.Smart TVs. Hundreds of millions of Internet-connected TVs are potentiallyvulnerable to click fraud, botnets, data theft and even ransomware,according to Symantec research.Cars. Fiat Chrysler recalled 1.4 million vehicles after researchersdemonstrated a proof-of-concept attack where they managed totake control of the vehicle remotely. In the UK, thieves hackedkeyless entry systems to steal cars.

11

Today in the USA, there are

25 connecteddevices per100 inhabitants1

1098

6.4 billion

7654

4.9 billion3.9 billion

3211 Source: gartner.com/newsroom/id/3165317

2014

2015

2016

2020

17

TABLE OF CONTENTS

2016 Internet Security Threat Report

MOBILE DEVICES & THE INTERNET OF THINGS

Home Automation to Reach

a Tipping Point by 2020Despite the increased attention and rapid development, theInternet of Things has not reached a critical mass when it comesto home automation. Perhaps one of the final hurdles holdingIoT dominance back has to do with standardized communication protocols. So far, we have seen plenty of growth withinterconnected IoT devices using well-established protocols,such as Wi-Fi and Bluetooth. Devices that utilize 802.11b/g/n/ac wireless protocols, including Smart TVs, intelligent thermostats, IP cameras, and other devices, are cropping up everywhere.Devices that employ Bluetooth 4.0, such as fitness trackers,smart watches, and other wearables, have also helped IoT gainsignificant traction in that market.However, these communication protocols fall flat in many homeautomation cases. The latest Wi-Fi technologies work greatfor quick and efficient wireless connections, but have powerrequirements that can put a strain on smaller devices. Bluetoothdoes operate better in this scenario, but its short range doesnot make it ideal for communication from more than a few feetaway. Thats not to say that it cannot be done. It just has notbeen possible to do it cheaply enough to bring the technologyto ubiquity.A number of vendors have stepped in to address these communications challenges, though none has yet to dominate the market.This has resulted in a fragmented market of competing wirelesscommunication specifications tied to specific vendors or vendorgroups. What may finally open the gates for small, low poweredIoT devices is Wi-Fi HaLow (IEEE 802.11ah), a new communications protocol for IoT and wearable devices, slated to be finalizedand certified between 2016 and 2018. Once released, routermanufacturers could quickly incorporate the protocol to theirproducts, as with other communications protocols like 802.11ac,and in so doing, open the doors for consumers to automate theirhomes more easily and cheaply.Of course, when introducing any new technology, the attacksurface expands, which presents a variety of new problems froma security standpoint. Proprietary IoT networks have alreadybeen found with multiple security vulnerabilities, some trivialand some serious. The fundamental question regarding IoT andhome automation is not, How do we do this? It is, How do wedo this securely?With the adoption of common standards, it is likely that olderproprietary protocols will fall by the wayside, paving the wayfor potentially greater consolidation in the marketplace. Whilelarger, well-known brand names will continue to release theirown products, smaller, innovative IoT companies will becomeattractive targets for organizations seeking to quickly expandtheir portfolios into those areas. However, cybersecurity mustbe at the core for the adoption of this new breed of IoT technology to succeed. As more homes become connected, it will be

difficult for consumers to ignore the benefits that this new technology will promise.It is always important to weigh the convenience of remotecontrol, automation, ease of use, and the benefits they can bring,against the potential risks introduced that could lead to hackersopening IoT locks, disabling IoT burglar alarms, or generallywreaking havoc with IoT devices.

How to Protect Connected Devices

Protecting the Internet of things requires the same holisticapproach as other areas of IT security. Unfortunately, bothIndustrial IoT ecosystems, like the Industrial Internet Consortium (IIC), and consumer IoT ecosystems, such as the AllSeenAlliance, are still very early in defining standards for thisrapidly evolving area. To address this, Symantec published itsSecurity Reference Architecture, and contributed to the IIC andAllSeen efforts, along with the Online Trust Alliance (OTA) IoTTrust Framework, and the US Department of Homeland Security(DHS) Security Tenets for Life Critical Embedded Systems.Effective security requires layers of security built into devicesand the infrastructure that manages them, including authentication, code signing, and on-device security (such as EmbeddedCritical System Protection technology). Analytics, auditing, andalerting are also key to understanding the nature of threatsemerging in this area. Finally, strong SSL/TLS encryption technology plays a crucial role in authentication and data protection.

Towards a Secure, Connected Future

As with other aspects of Internet security, some threats aremore dangerous than others are, and while a hacked fitnessmonitor may be an inconvenience, a vulnerability in millions ofcars may present a more serious danger. Similarly, a backdoorin a medical device may give thieves access to medical records,albeit on a relatively small-scale, or it may lead to serious injuryor potentially even death.The remedies are well-understood, but manufacturers need toprioritize security and find the right balance between innovation,ease-of-use, and time-to-market constraints. Fundamentally,companies and consumers need to be assured that suppliers arebuilding security into the IoT devices they are buying.

18

TABLE OF CONTENTSWEB THREATS

2016 Internet Security Threat Report

WEB THREATSWEBTHREATS

WEB ATTACKS, TOOLKITS, AND

EXPLOITING VULNERABILITIESONLINEIf web servers are vulnerable, thenso are the websites they host andthe people who visit them. Attackersare exploiting any vulnerability theycan to compromise websites andcommandeer their host servers. Theease of use and wide availabilityof web attack toolkits is feedingthe number of web attacks, whichdoubled in 2015.SHARETHIS

Website owners still arent patching and updating their websites

and servers as often as perhaps they should. This is like leavinga window open through which cybercriminals can climb throughand take advantage of whatever they find.Over the past three years, more than three quarters of websitesscanned contained unpatched vulnerabilities, one in seven (15percent) of which were deemed critical in 2015.

19

TABLE OF CONTENTS

2016 Internet Security Threat Report

WEB THREATS

Scanned Websites with Vulnerabilities

Annual Plugin Vulnerabilities

TT A critical vulnerability is one which, if exploited, may allow malicious code

TT The number of vulnerabilities in Adobe plugins has grown in 2015, an

to be run without user interaction, potentially resulting in a data breach and

further compromise of visitors to the affected websites.

2013

2014

2015

indication that attackers are seeking to exploit plugins that are not onlycross-platform, but also ubiquitous. Most Adobe vulnerabilities are related toAdobe Flash Player (also known as Shockwave Flash).

679

700

77+23

76+24

78+22

77%

76%

78%

400

-1% pts

+2% pts

300

Adobe Plug-insApple Plug-ins

600

Chrome Plug-ins

500

ActiveX Plug-ins375

336

200

Percentage of Vulnerabilities Which Were Critical

100

2013

2014

16+84

20+80

15+85

16%

20%

15%

+4% pts

-5% pts

Problematic PluginsIts not just the operating systems making web servers vulnerable. While many of the major content management systemproviders have improved security and implemented automaticupdates in recent years, the security of plugins for these systemsis still a big problem.

Browser Vulnerabilities891

876

800

591

Opera

The End Is Nigh for Flash

Adobe Flash Player has continually been the subject of maliciousexploitation over the years and accounted for 10 vulnerabilitiesthat were classified as zero days in 2015 (17 percent) comparedwith 12 in 2014 (50 percent), and five in 2013 (22 percent). Withsuch rich pickings, its clear to see why attackers are partial toexploiting Flash. Apple, Google, and Mozilla have all expressedtheir concerns with the Flash plugin, and Google recentlyannounced that Flash will no longer be supported natively inChrome. Mozilla continues to support Flash within Firefox as anexception to the general plugin policy.From a security perspective, we expect Adobe Flash willgradually fall out of common usage over the next year.

Web Attacks Blocked per Month

since 2013. An average of one million web attacks was blocked each day in2015, an increase of 117 percent (more than double) compared with 2014.

Mozilla Firefox

1,500

Microsoft InternetExplorer

639

1200

Google ChromeApple Safari

400

2015

TT The chart shows the number of web attacks blocked each day on average

1,000

600

2014

2015

351

THOUSAND

2013

900

600

200300

2011

2012

2013

2014

20152013

2014

2015

20

TABLE OF CONTENTS

2016 Internet Security Threat Report

WEB THREATS

Exploiting Plugins for Web Servers

Angling for Malicious Ads

Its not only plugins for web browsers that are vulnerable andexploited. Take WordPress, which now powers a quarter of theworlds websites, for example. Anyone can write a WordPresspluginand they often do. Plugins range from the useful to thecompletely ridiculous, such as Logout Roulette: on every adminpage load, theres a 1 in 10 chance youll be logged out.

The Angler exploit kit, first seen in 2013, is arguably among

the most sophisticated exploit kits available today, and haspioneered many technical advances that other exploit kits haveoften followed, including the use of anti-cybersecurity countermeasures. For example, Angler is able to download and executemalware from memory, without needing to write any files to disk,in an attempt to evade detection by traditional security technology. Additionally, one significant factor in Anglers incrediblegrowth in 2015 is that it has been very fast at integrating thegrowing number of new zero-day exploits into its arsenal.

The problem is, some plugins are shockingly insecure. Windows

attracts many exploits because of its large user base, and thesame applies to WordPress plugins. Vulnerable plugins found onWordPress sites can and will be exploited.Plugins, whether for browsers or servers, need to be updatedregularly as they are vulnerable to security flaws, and out-ofdate versions should be avoided where possible.

Top Five Web Attack Toolkits

TT The Angler exploit kit was the most common exploit kit in use during 2015,

and accounted for 23 percent of all exploit-kit web attacks. It has grownconsiderably in the last year and was not featured in the top five for 2014.

Minimize Risk from Plugins

Sakura

TT Update plugins regularly.

NuclearStyx

TT Watch the media and security lists for warnings.

TT Be very selective about the plugins used to reduce your attack

Infection by InjectionIn 2015, Symantec also saw the return of Team GhostShell,which claims to have hacked a significant number of websites.Earlier this year, the Symantec Security Response team reported:From first appearances, the recently released list of hackedwebsites seems to be random and there is no indication that anyparticular country or sector is being targeted. The group is morethan likely hacking websites based on their vulnerability.In keeping with its previous modus operandi, it is likely thatthe group compromised the databases by way of SQL injectionattacks and poorly configured PHP scripts.Again, these are hacks that most likely could have beenprevented with better website and server management. SQLinjection is a long-established attack method, which continuesto work because of an unnecessary weakness in the parametersadministrators establish for search queries.

Web Attack Exploit Toolkits

It is difficult to defend against new and unknown vulnerabilities, particularly zero-day vulnerabilities for which there maybe no patch, and attackers are trying hard to exploit them fasterthan vendors can roll out patches.In 2015, following the breach of Hacking Team, an Italy-basedcompany, previously unknown zero-day exploits were madepublic by the attackers. Exploits for zero-day vulnerabilitieswere shared, and within hours, integrated into exploit toolkits.

23%

2014

surface.

Angler23%

2015

10%

OrangeKitBlackhole

7% 5% 5%

Other 50%100%

NuclearRIGMagnitude 2%Neutrino 1%6% 4%

14%

10% Other8% 64%

100%

Angler was the most active exploit kit in 2015, and hundredsof thousands of attacks by this kit were blocked by Symantecon a daily basis. In total, the number of Angler-based attacksblocked numbered over 19.5 million. Anglers favorite deliverymechanism was malvertisments, favoring exploited Adobe Flashvulnerabilities. Windows was the preferred target for Anglerin 2015. Windows 7 in particular accounted for 64 percent ofAngler attacks, and Windows 8.1 accounted for 24 percent.Moreover, Mac OS X did not appear to be in the firing line forattackers using the Angler toolkit in 2015, but this is expectedto change as cybercriminals seek to exploit the Apple ecosystem.

Tech Support Scams Go Nuclear, Spreading

RansomwareIn 2015, Symantec recorded an increase in tech support scams,equivalent to a 200 percent rise compared to the previous year.Tech support scams are not a new tactic, and hundreds ofthousands of people worldwide are targeted on a daily basis.The earliest types of tech support scams involved call centerworkers cold-calling users, trying to sell them technical supportpackages to resolve non-existent problems on their intendedvictims computers.

21

TABLE OF CONTENTS

2016 Internet Security Threat Report

WEB THREATS

These scams have evolved over time, and more recent examplesmay display seemingly endless fake warning messages, urgingthe intended victims to call a toll-free number for help. Oncalling the number, seemingly professional-sounding call centerstaff try to convince their intended victims to install malwareand other unwanted applications onto their computers, whileclaiming it will fix their problems.In the latest twist, tech support scammers were found usingthe Nuclear exploit kit to drop ransomware onto its intendedvictims computers. The scammers could distract the user whilethe ransomware encrypts files on their computer, perhapsincreasing their chances of earning money from the victim.While this wasnt the first time tech support scammers have beendiscovered installing ransomware, the most recent examplesinclude a malicious HTML iframe on their website, redirectingvisitors to a server hosting the Nuclear exploit kit. The exploitkit was found to be taking advantage of the recent Adobe FlashPlayer Unspecified Remote Code Execution Vulnerability (CVE2015-7645), among other vulnerabilities. On success, it eitherdropped Trojan.Cryptowall (ransomware) or Trojan.Miuref.B (aninformation-stealing Trojan).This was the first time Symantec has seen tech support scamsused in parallel with the Nuclear exploit kit to deliver ransomware, and if this proves to be an effective combination, thistrend is set to continue. While it may be quite plausible thattech support scammers and exploit kit attackers have joinedforces, it is possible that the tech support scammers own webservers were compromised by a separate group who are usingthe Nuclear exploit kit.

MalvertisingThe middle of 2015 was filled with accounts of malvertisingaffecting almost every segment of the ad-supported Internet.One possible explanation is that malvertising is simply aneasier way to infect site visitors than spamming out links toinfected websites. Its much easier for an attacker to try andcompromise a popular site or seek to host malicious ads onpopular, high-traffic websites because it means they dont needto consider the complex nuancing of social engineering, eliminating one more step in the bad guys pipeline.Ad companies often dont request a lot of information frompeople submitting ads, making it easy for criminals to masquerade as legitimate businesses and upload malicious ads, whichcan appear on any number of sites.Thanks to the use of cookies, malware authors can also tailortheir malicious code or redirects to target almost any subset ofusers, by geography, time of day, company, interests, or recentInternet activity.

Classification of Most Frequently Exploited Websites

TT Technology and business related websites were the most popular for

hosting malicious content and malvertising in 2015.

2015 Top 10 Most

Frequently ExploitedCategoriesof Websites

2015Percentageof TotalNumberof infectedWebsites

2014%

Technology

21.5%

Blocked Tech Support Scams

Technology

TT In total, Symantec blocked more than 100 million malware or exploit-kit

Business

8.1%

Hosting

7.3%

TT The countries targeted the most by tech support scams were the US, UK,

Search

7.5%

Blogging

7.1%

Blogging

7.0%

Business

6.0%

Dynamic

6.4%

Anonymizer

5.0%

Educational

4.0%

Entertainment

2.6%

Domain Parking

3.2%

Shopping

2.5%

Entertainment

2.6%

Illegal

2.4%

Shopping

2.4%

Domain Parking

2.2%

10

Illegal

2.1%

VirtualCommunity

1.8%

attacks relating to tech support scams in 2015.

23.2%

2014Top 10

France, Australia, and Germany.

181614

MILLION

12108642JAN2015

FEB

MAR

APR

MAY

JUN

JUL

AUG

SEP

OCT

NOV

DEC

22

TABLE OF CONTENTS

2016 Internet Security Threat Report

WEB THREATS

Unfortunately, malvertising is notoriously difficult to track

and criminals have become increasingly clever, removing themalicious code from their ads after an hour or two, making italmost invisible. Since it is powerful, effective, and hard toanalyze, we expect the use of malvertising to continue to grow.Consequently, an increased demand for ad-blockers may in turnhelp to reduce the negative impact of malvertising.

CYBERSECURITY CHALLENGESFOR WEBSITE OWNERSWhether its the way we shop,work, or pay our tax bill, trust andconfidence in online services hasbecome critical to our way of life.Thankfully, changes are coming tothe way we use and secure theInternet to reinforce trust in onlineprivacy, security, and transactions.SHARETHIS

Website security encompasses more than the information in

transit between a server and visitors to a website. Organizations need to think about their websites as parts of an entireecosystem that needs constant care and attention if they wantto retain peoples trust and confidence.The consequences of failing to bolster website security are likelyto extend beyond the costs to an individual company: it willdamage consumer confidence and the wider economic falloutcould be huge.

Put Your Money Where Your Mouse Is

The scales finally tipped during the 2015 Thanksgiving holidayweekend in the US, as the number of consumers shopping onlineexceeded those shopping in store, according to the NationalRetail Foundation.E-commerce is big business, and Ecommerce Europe reportedthat global business-to-consumer ecommerce turnover grewby 24 percent, reaching $1.9 billion in 2014. However, that mayseem small compared to the $6.7 trillion that Frost & Sullivanestimates the business-to-business e-commerce market will beworth by 2020. Frost & Sullivans forecast includes all forms ofelectronic commerce including using Internet and electronicdata interchange systems.Even governments are becoming increasingly dependent ondigital services to keep their books balanced. The British govern-

ment, for example, recently revealed that it had saved 1.7

billion through digital and technology transformation in 2014.While SSL/TLS certificates, trust marks, and good websitesecurity all help maintain the online economy, all this economicactivity could be at risk if people lose trust and confidence in thesecurity foundations of the online economy.

Websites Are Still Vulnerable to Attacks

Leading to Malware and Data BreachesWebsites are a critical element in major attacks: they are a wayinto the network, they are a way into sensitive data, and they area way to reach customers and partners.For example, the rise in malware aimed at Linux web serversincluding website hostsproves that criminals have realizedthat the infrastructure behind websites is as valuable, if notmore so, than the information encrypted by SSL/TLS certificates.Many attacks against website infrastructure could be preventedwith regular maintenance and patching, but the numberssuggest that website owners just arent managing to keep up.Three quarters of the websites Symantec scanned in 2015 hadvulnerabilitiesa number that hasnt shifted in years.Cybercriminals continued to find vulnerabilities in the underlying infrastructure of website security in 2015, including FREAK,which allowed attackers intercepting a secure connection toforce the server to downgrade to encryption an easier-to-crackprotocol.Distributed-denial-of-service (DDoS) attacks have alsocontinued to prove disruptive to businesses 2015. While largescale attacks such as the one that hit the BBC at the end of 2015tend to grab headlines, businesses of every size are a target forattack and often smaller sites can suffer as part of the collateraldamage when a host has to shut down a server, taking multiplesites offline, because of an attack on just one of its clients.Mitigation tactics and tools exist to defend against DDoS attacks,but website managers need to take the time to understand anddeploy them if they are to keep their websites safe.

Moving to Stronger Authentication

Its not all bad news. There have been several advances in boththe strength and adoption of SSL/TLS certificates in 2015as well as initiatives by Certificate Authorities (CAs) to makeissuing SSL/TLS certificates more transparent.Crucially, nearly 40 percent of all downstream Internet traffic inthe US is now encrypted, according to research from Sandvine,and this is expected to grow to more than 70 percent of theworlds Internet traffic over the coming year.Unfortunately, in a world where everything is encrypted,consumers have a false sense of security that whenever they seeHTTPS in the browser, the website that they are on has been

23

TABLE OF CONTENTS

2016 Internet Security Threat Report

WEB THREATS

validated and authenticated and must therefore be genuine.

In reality, online fraud has historically occurred on DomainValidated (DV) sites, which offer no validation of the organization behind the site.With DV certificates, the CA will verify that a contact at thedomain in question approves the certificate request, usually viaemail or telephone, and this is often automated. Consequently, DV certificates are usually cheaper than the more rigorousExtended Validation (EV) SSL certificates, which require morevetting and validation.While DV certificates verify the consent of a domain owner,they make no attempt to verify who the domain owner really is,making it ideal for both phishing and MITM (man-in-the-middle) attacks. Symantec expects to see a move by organisations,particularly those driven by PCI compliance, to strengthen therequirements for stronger authentication, and the adoption ofEV SSL certificates providing greater levels of assurance.Encryption of SSL/TLS will also become stronger with the shiftfrom SHA-1 to SHA-2. Historically, SHA1 is a very popularone-way hashing function, where each hash generated from asource is intended to be unique. There should be no collisionwhere two different sources will generate the same hash;however, the first weaknesses were identified as early as 2005.This came to a head in 2014 when Google announced it wouldsoon no longer support sites using SHA1 and will displaysecurity warnings to visitors trying to access sites with SHA-1certificates expiring after 1st January 2017. Several otherbrowser vendors followed suit, spelling the inevitable end forSHA-1.The security community is making great progress, and there is areal opportunity to significantly reduce the number of successful website attacks, but it will only happen if website ownersstep up and take action too.

Accelerating to Always-On Encryption

Nearly 40 percent of all downstream Internet traffic in the US isnow encrypted, according to research from Sandvine, and this isexpected to grow to more than 70 percent of the worlds Internettraffic over the year. This sudden upsurge is down to a numberof factors:company commitment. Some of the biggest nameson the Internet have already adopted HTTPS, includingFacebook, Twitter and, more recently, Netflix.

TTBig

engine preference. Google announced in 2014 that

the adoption of HTTPS everywhere would have a positiveimpact on search rankings, encouraging site owners to adoptit to get an edge in search engine rankings.

TTSearch

upgrade. The Internet Engineering Task Force (IETF),

the organization in charge of creating standards for theInternet, published a new version of the Hypertext TransferProtocol in 2015. Dubbed HTTP/2, it will likely be adopted asstandard in the near future and, as the draft states, HTTP/2enables a more efficient use of network resources, meaningHTTP/2 is designed to deliver better, faster responsiveperformance for websites out of the box. And every majorbrowser has said its support for HTTP/2 is only going to beover SSL/TLS. In effect, this makes encryption mandatoryfor sites using this new standard.

TTHTTP

The hope is that within the next few years, every page on theInternet will have an SSL/TLS certificate. Symantec is alreadyworking with web hosting providers to help them provideencryption as part of their service to website owners.

Reinforced ReassuranceSeveral major browsers are also changing their security indicatorsthe colours and symbols used in the address bar toindicate to visitors how safe a site isto make it clear when anSSL/TLS-secured web page includes unsecured content that isvulnerable to man-in-the-middle tampering. In other words,this will make it clearer when a site fails to achieve always-onencryption and the danger this poses.This is just one example of the drive to offer added reassuranceto websites visitors and online shoppers, which also includestrust marks and shopping guarantees, which help to allay thefears many shoppers have when they shop online and cant seethe store owner in person or hold the goods theyre buying intheir hands.TT Taken from Mozillas Security Blog

24

TABLE OF CONTENTS

2016 Internet Security Threat Report

WEB THREATS

Websites Need to Become Harder to Attack

Organizations need to be more proactive around SSL/TLS implementation. Its not a one-and-done task. Tools that automateand streamline the process are essential.Updates are released regularly for SSL/TLS protocol libraries,such as OpenSSL, to protect against such vulnerabilities, butwebsite owners still have to install them. The move from SHA-1certificates to the much stronger SHA-2 is also accelerating, butagain organizations have to deploy the new certificates properlyfor the change to be effective.Rather than thinking solely about protection, website managersneed to think about protection, detection, and response. Theyneed to use automation tools to monitor their websites continually for signs of vulnerability or attack, block those attacks, andthen report, update, and patch accordingly.

SSL/TLS AND THE

INDUSTRYS RESPONSESSL/TLS remains at the heart ofonline privacy, authentication, andencryption, but around them is aninfrastructure of trust that requiresmaintenance and vigilance if it is toremain effective. The industry mustlearn and adapt.SHARETHIS

The Evolution of Encryption

On August 11, 1994, Daniel Kohn sold a CD to a friend in Philadelphia. His friend used his credit card to spend $12.48, plusshipping costs, in a transaction that, for the first time ever,was protected by encryption technology. The site Daniel ran atthe time required customers to download a special browser toconduct secure transactions, which employed the PGP encryption standard that his website relied on.Reporting the next day, the New York Times commented:Alarmed by increasing reports of security breaches on theInternet, many people and businesses are reluctant to transmitsensitive information, including credit cards numbers, salesinformation, or private electronic mail messages, on thenetwork.Twenty years later, peoples concerns remain the same, althoughtheir behaviour suggests theyre willing to take the risk ofrelying on their bank for help if something goes wrong. Without

a consistent and secure SSL/TLS infrastructure, however, this

fragile state of trust will crumble and ecommerce simply wontbe able to function.

Strength in NumbersThe strength of SSL/TLS has come a long way since 1994, andthis year saw the switch from SHA-1 to SHA-2 as the industrystandard moving forward.As computing power has increased, so has a hackers abilityto break hashing algorithms through sheer brute force. Manyexperts predict that SHA-1 will become vulnerable in the verynear future. Thats why the major browsers have agreed to stopsupporting SHA-1 certificates during the next two years so thatany visitors trying to access a site continuing to use them willsee a security warning.The current plan is to [stop accepting SHA-1 certificates] onJanuary 1, 2017. However, in light of recent attacks on SHA-1,we are also considering the feasibility of having a cut-off date asearly as July 1, 2016, says Mozilla, and there has been discussion of bringing those dates even further forward to acceleratethe change.Symantec offers a free upgrade service, but large organizationsneed to ensure they have a full migration plan in place to updateany devices and applications that may not currently recognizeSHA-2.

Time to freak out?

TT The vulnerability known as FREAK was discovered back in

March 2015. Attackers who intercepted the setting up of a secure

connection between an affected server and client could force themto use export-grade encryption, a much weaker form of encryptionthan is usually used today, therefore making the transactedmessage easy to break with the computing resources availabletoday.

TT Its estimated that servers supporting 9.6 percent of the top one

million website domains were initially vulnerable to attack and nine

months later, 8.5 percent remain so.

Slipping through the Cracks

Despite encryption getting stronger, many of the attacks aimedat SSL/TLS this year have focused on weaknesses in the widerSSL/TLS ecosystem.Symantec has seen a much greater focus in the last year on thecode libraries related to SSL/TLS implementations, and as aresult, we have seen a regular stream of vulnerability updatesand fixes.Thats the good news. But the most common unpatched vulnerabilities on web servers in the last year reveal that websiteowners arent keeping up with the releases. Its vital that websitemanagers maintain the integrity of their SSL/TLS implementations. Its not a fit-and-forget task.

SSL/TLS POODLE Vulnerability

Missing X-Content-Type-Options Header

Missing X-Frame-Options Header

SSL Certificate Signed using Weak Hashing Algorithm

Cross Site Scripting Vulnerability

Missing Strict-Transport-Security Header

SSL v2 support detected

Missing Secure Attribute in an Encrypted Session (SSL) Cookie

SSL Weak Cipher Suites Supported

10

SSL and TLS protocols renegotiation vulnerability

Although we didnt see any vulnerabilities as potentially

dangerous as 2014s Heartbleed, OpenSSL released severalupdates and patches throughout 2015. OpenSSL is one of themost widely-used implementations of the SSL and TLS cryptographic protocols and is used on two-thirds of all web servers.The updates it released were for vulnerabilities that rangedfrom low risk to high severity and which could allow attackersto carry out man-in-the-middle attacks to eavesdrop on securecommunications or to launch denial-of-service attacks.

Checks and Balances

In order to strengthen the SSL/TLS ecosystem, Symantechas pushed for the widespread adoption of DNS CertificationAuthority Authorization (CAA). This allows an organization, orDNS owner, to specify which certificate authority (CA) it will buySSL/TLS certificates from. If a malicious actor, or an employeewho doesnt know company policy, tries to purchase a certificatefrom a CA not on the approved list, that CA can check the CAAand alert the DNS owner of the request.This reduces the risk of rogue certificates being issued in a legitimate organizations name without its knowledge, which in turnwould reduce the risk of criminals being able to set up certifiedphishing sites.In an effort to better spot rogue certificates, Symantec is alsocomplying with Googles request to log all EV certificates weissue on its Certificate Transparency log. As of March 2016,Symantec is also logging OV and DV certificates. Along withsoftware that can monitor and audit certificates and their use,this creates, as its authors say, an open framework that letsanyone observe and verify newly issued and existing SSL certificates in nearly real time."

Trust Services, Electronic Identification (eID),

and Electronic Trust Services (eTS)In September 2015, the European Commission completed theadoption of all the implementing acts required for adoptionof the new eIDAS Regulation. This regulation marks a majorchange in the regulatory environment to enable secure andseamless electronic interactions between businesses, citizens,and public authorities across Europe.Moreover, it is also an important step forward in promotinggreater security requirements for Certificate Authorities (CAs)with the implementation of an EU Trust Mark for QualifiedTrust Services. The new trust mark will help in clearly differentiating qualified trust services from others in the market,fostering greater transparency and confidence in such essentialonline services.

26

TABLE OF CONTENTS

2016 Internet Security Threat Report

SOCIAL MEDIA & SCAMS

SOCIALMEDIA,SCAMS,& EMAILTHREATS

SOCIALMEDIA,SCAMS,& EMAILTHREATS

SOCIAL ENGINEERING AND

EXPLOITING THE INDIVIDUALThe sophistication and ruthlessnessof some of the attacks and tacticsused by cybercriminals in 2015have demonstrated how vulnerableindividuals are online and chippedaway at public confidence in onlinesecurity. Data breaches, governmentsurveillance, and good old-fashionedscams came together to furtherencroach on personal privacy,whether it is personal photos, logincredential or medical histories.Personal data is anything but private.SHARETHIS

Trust No OneIn 2015, Symantec saw plenty of traditional scams andmalware attacks intended to gather personal information. Forexample, one scam promised large numbers of followers forfree on Instagram, while seeking to fool people into revealingtheir passwords. Some attacks impersonated tax officials inan attempt to trick people into downloading malicious emailattachments.In their simplest form, many scams still rely on the poor securityhabits of the general public to succeed. However, we have alsoseen how poor website security can expose customer data. In thelatter example, it doesnt matter how strong a password may beif the website is vulnerable to a data breach.More concerning are attacks in 2015 that made use of sophisticated social engineering to bypass the two-factor authenticationsystems designed to safeguard users.By going through a legitimate password-reset process andposing as Google via SMS, however, one scam was able exploitthe publics trust in a reputable brand to gain access to emailaccounts without raising the victims suspicions.

Google has detected unusual activity

6The attacker can thenreset the password andonce they have whatthey want or have set upforwarding, can informthe victimagain posingas Googleof their newtemporary password,leaving the victim nonethe wiser.

Google sends the code to

the victim.

5483829

new password

Source: Symantec

The victim therefore expects the

password-reset verification codethat Google sends out andpasses it on to the attacker.

28

TABLE OF CONTENTS

2016 Internet Security Threat Report

SOCIAL MEDIA & SCAMS

Secrets and Lies

While traditional scams continued, 2015 also saw more salaciousscams and threats to privacy.

TTMockingbird

Online sextortion has been around for years, and more

recent examples, particularly prevalent in Asia, have turnedto malicious Android apps. These scammers, using an attractive avatar or profile picture, encourage the intended victim toshare sexually-explicit videos. The criminals then encouragethe victim to continue the liaison using an Android app, whichalso gathers the victims phone number, account details, and allof their contacts.

TTParrot

Now with an incriminating video, and a list of the victims

friends and family, the gang threatens to send the sexuallyexplicit content to the victims entire contact list unless theypay up. Because of the sensitive nature of the threat, victimsoften find it difficult to go to the authorities and end up sendinghundreds, if not thousands, of dollars to the attacker.In the wake of the Ashley Madison attack, a spike in spammessages with subject lines like How to Check if You WereExposed in Ashley Madison Hack or Ashley Madison hacked,is your spouse cheating? were reported. The hack was perhapsmore unusual in that its ramifications went well beyond thefinancial sphere to affect peoples personal relationships andreputations.

accounts: use brand and celebrity imagery for

accounts: act like new users with no tweets and use thedefault egg avatar

Each tweet from a Mockingbird account received nearly 1,000

retweets and 500 favorites, which were not genuine, as they originated from a secondary account, which we called the Parrot. Inturn, Parrot accounts, follow anyone and everyone in the hopethat genuine Twitter users will follow them back, a remarkablyeffective tactic.If these Parrot accounts only retweeted spam from the Mockingbird accounts, they would quickly be spotted, which is whythey also posted other tweets too, typically copying tweets andretweeting memes from genuine Twitter users.On the other hand, the majority of Egg accounts never composeda single tweet. Instead, they would simply be used to bolster thenumber of followers of the Parrot accounts in the hundreds.This complex operation centered on weight-loss spam. Theoperators went to great lengths to avoid anti-spam measuresand were able to operate for a long time.

Social media remains a favored target

of scammers, as criminals seek toleverage the trust people have in theirown social circles to spread scams,fake links, and phishing. To succeed,the social engineering involved mustbe convincing, and so we see moreprogressive and ingenious tactics todupe potential victims.One scam in particular went to greatlengths to create an entire familytree of hundreds of thousands of fakeTwitter accounts, each branch boostingthe credibility of the one above, to gainfollowers, and retweets from genuineTwitter users. At the top of the familytree were accounts impersonating newsoutlets and celebrities, even curatingreal tweets from the genuine accountsto make them seem more credible.Through the discovery of theseimposter accounts, we identified threeaccount types that were being used:

TT Graphic showing how the spam operation works. Taken from white paper.

29

TABLE OF CONTENTS

2016 Internet Security Threat Report

SOCIAL MEDIA & SCAMS

Social networking scams require some form of interaction,

and manual sharing remained the main route for social mediaattacks in 2015, expanding on the technique that had snowballed in the previous year.

Social Media100%

2013

9080

70

70

76

2014

2015

81

60

Similar localized attacks around the world show that cybercriminals are putting in the effort to manipulate victims nomatter the location or the language. Adapting phishing scamsusing phishing toolkits makes it extremely easy to conduct acampaign against a target in one country, change the templates,and quickly target another elsewhere. Often the language usedin such localized attacks has been automatically translatedthrough the templates and may appear convincing to a non-native speaker.

Number of Phishing URLs on Social Media

50

TT The chart shows how social media has played a crucial role in the social

4030

engineering of attacks in the past. In recent years, these sites have

clamped-down on such abuses, and made it much harder for the attackersto exploit them.

2317

2010

niche, very local system, and yet in 2015, three malware familiesemerged specifically targeting it.

2ManualSharing

FakeOffering

Likejacking

1FakeApps

0 <1FakePlugin

30,00025,00020,000

TT Manual Sharing These rely on victims to actually do the work of

sharing the scam by presenting them with intriguing videos, fake

offers, or messages that they share with their friends.

TT Fake Offering These scams invite social network users to join a

fake event or group with incentives, such as free gift cards. Joiningoften requires the user to share credentials with the attacker or senda text to a premium rate number.

15,00010,0005,000

2013

2014

2015

TT Likejacking Using fake Like buttons, attackers trick users into

clicking website buttons that install malware and may post updateson a users newsfeed, spreading the attack.

TT Fake Apps Users are invited to subscribe to an application that

appears to be integrated for use with a social network, but is not as

described, and may be used to steal credentials or harvest otherpersonal data.

TT Fake Plugin Users are invited to install a plugin to view a video, but

the plugin is malicious and may spread by re-posting the fake videomessage to a victims profile page without permission. Examplesinclude installing a fake YouTube premium browser extension toview the video, or noticing that a DivX plugin is required, and the fakeplugin masquerades as such. For more information visit:http://www.symantec.com/connect/blogs/fake-browser-plug-newvehicle-scammers

Language and Location Is No Barrier

Other forms of attack seen in 2015 also prove just how sophisticated and ruthless criminals are willing to be to make a profit.Wherever you live or whatever language you speak, you couldstill be under threat from cyber attackers. Take Boleto, a paymentsystem used in Brazil for example. Boleto may be considered a

Safeguarding Against Social Engineering

Cybercrime costs the global economy up to US$575 billionannually according to BofA Merrill Lynch Global Research,whose report goes on to say that in a potential worst-case 2020Cybergeddon scenario, cybercrime could extract up to a fifth ofthe value created by the Internet.It is everyones responsibility to do all they can to prevent thatfrom happening.For consumers, its time kick bad habits. Many people knowthe basics of good cybersecurity, yet people continue to sharetheir passwords. In fact more than a third of people who sharepasswords in the United States have shared the password totheir online banking account. People need to start taking moreresponsibility for shoring up their online security.Users should more wary of who they follow on social media. Botscan appear more and more like a real person, and are sometimesdifficult to spot. When choosing who to trust on social media,consider the following advice:

30

TABLE OF CONTENTS

2016 Internet Security Threat Report

SOCIAL MEDIA & SCAMS

skeptical of new followers. If a random person follows

you, do not automatically follow them back. Look at theirtweets. Are they retweeting content that looks like spam? Ifthey are, they are most likely a bot.

TTBe

can lie. Even if these random followers have tens

of thousands of followers, those numbers can easily be faked.Do not base your decision to follow them back based on howmany people follow them.

TTNumbers

for the verified badge. Twitter users should always

check to see if a well-known brand or famous celebrity hasbeen verified by Twitter before following. The blue verifiedbadge denotes that Twitter has authenticated the true ownerof an account.

TTLook

Taking risks with cybersecurity is not acceptable, and we should

reject the misconception that privacy no longer exists. Privacy issomething precious, and should be protected carefully.For businesses, this means approaching security in terms ofeducation, cybersecurity awareness training, and good digitalhygiene. Every employee should be part of the effort to staydigitally healthy. CIOs and IT managers need to be aware ofjust how many risks they face and start proactively monitoringfor symptoms so that they can diagnose digital diseases beforeputting customer data and customer confidence at risk.

Email AbuseEmail continues to dominate digital communications, regardless of the rising popularity of instant messaging technologyfor both business and consumer use. Symantec estimates therewere approximately 190 billion emails in circulation each day in2015, a number that we predict to grow by as much as 4 percentby the end of 2016. On average, each business user sent andreceived 42 emails each day, and a growing number of individuals were reading email on mobile devices. For cybercriminalswho want to reach the largest number of people electronically,email is still the favored way to do it.No wonder it is still widely used by Internet criminals for spam,phishing, and email malware. In 2015, Symantec saw emailthreats decline. Email-based attacks from phishing and malwareare categorized as spam, and accounted for approximately onepercent of all spam email. Symantec provides further analysis ofspam classified as malware and phishing, as these threats havepotentially significant, harmful consequences.Symantec scans a significant proportion of the global businessemail traffic, giving us a unique insight into this medium andthe security threats it poses. Many business emails will neverbe sent outside of an organization, with approximately threequarters of external business email traffic being inbound, morethan half of which was spam.

Spam TrendsMore than half of inbound business email traffic was spam in2015, despite a gradual decline over recent years. In 2015, spamreached its lowest level since 2003. However, the spam problemis not going away. Spammers are finding other ways to reachtheir audiences, including the use of social networking andinstant messaging, two of the most popular types of applications found on mobile devices. In exploiting them in addition toemail, spammers continually seek to evolve their tactics.In addition, Symantec has observed an increase in whatis commonly known as snowshoe spam. As an analogy,snowshoes are designed to spread the wearers weight across awide area, and snowshoe spamming distributes large volumes ofspam across a wide range of IP addresses. As the name implies,this technique seeks to circumvent anti-spam technology, suchas propagation latency and IP address reputation, by sendinglarge volumes of spam messages in very short bursts. By alsoquickly rotating domains and recirculating IP addresses, thiscan make them more difficult to block quickly.

31

TABLE OF CONTENTS

2016 Internet Security Threat Report

SOCIAL MEDIA & SCAMS

Overall Email Spam Rate

Percentage of Spam in Email by Industry

TT Some industry sectors receive more spam than others, but the range is

2013

2014

2015

66+34

60+40

53+47

66%

60%

53%

-6% pts

-7% pts

Estimated Global Email Spam Rate per Day

TT In June, spam fell below 50 percent for the first time since 2003.

100%90

only approximately 5 percent.

Industry Detail

Percentage of Email as Spam

Mining

56.3%

Manufacturing

54.2%

Construction

53.7%

Services

53.0%

Agriculture, Forestry, & Fishing

52.9%

Retail Trade

52.7%

Nonclassifiable Establishments

52.6%

Wholesale Trade

52.5%

Public Administration

52.2%

Finance, Insurance, & Real Estate

52.1%

Transportation & Public Utilities

51.8%

8070605040302010

Non SIC Related Industries

2013

2014

2015

Healthcare

54.1%

Energy

53.0%

Spam by Company Size

TT No particular company size received significantly more spam than any

other did, with a range of only 1.5 percent.

Company Size

Spam % in Email

1-250

52.9%

251-500

53.3%

501-1000

53.3%

1001-1500

51.9%

1501-2500

52.6%

2501+

52.5%

32

TABLE OF CONTENTS

2016 Internet Security Threat Report

SOCIAL MEDIA & SCAMS

Phishing Trends

Phishing Rate

Over the years, phishing campaigns have become much easier

to operate, thanks to the evolving cybercriminal marketplace.Attackers will cooperate, with some specializing in phishingkits, and others selling them on to other scammers who want toconduct phishing campaigns.

TT Phishing numbers in 2015 continued to fluctuate, but remained in gradual

Symantec has reported a concerning increase in the number and

sophistication of phishing attempts, targeting specific departments within organizations. While some phishing attempts mayseem obvious, such as a fake delivery tracking emails, the Legaland Finance departments at some company were targeted withwell-crafted phishing attacks.Some of these included wire transfer attempts, and while it mayseem surprising, some companies have lost millions of dollarsbecause employees were fooled into believing wire transferrequests and other phishing attacks were genuine. The socialengineering involved in these phishing attacks is more sophisticated and targeted. They not only send generic scams to largenumbers of people, but seek to develop ongoing relationships,validate access to company information, and build trust.

2013

2014

2015

300600900

1 IN

These kits often trade for between US$2 and $10, and their usersdo not require much in the way of technical skills to operate themor customize their webpages to suit their needs. Scammers mayuse the data stolen from these attacks for their own purposes, orsell it on underground marketplaces for a profit.

decline throughout the year.

1, 2001,5001,8002,1002,4002,7003,000

Phishing Ratio in Email by Industry

TT Retail was the industry sector most heavily exposed to phishing attacks in

2015.

Industry Detail

Phish Email Ratio

Retail Trade

1 in 690

Social engineering requires research and reconnaissance,

reviewing social media profiles, and the online activity ofpotential targets to learn about their job, their co-workers, andthe organizational structure. With this information so easilyobtained online, phishing emails are more personalized, andconvincingdisplaying an understanding of the business andknowledge of key executives and work processes.

Public Administration

1 in 1,198

Agriculture, Forestry, & Fishing

1 in 1,229

Nonclassifiable Establishments

1 in 1,708

Services

1 in 1,717

Many businesses are a prime target, and an assumption that

technology can provide automatic protection is a false one. Whileleveraging sophisticated controls and technology for protection,organizations still rely on the capability of its employees todetect advanced and targeted phishing campaigns.

Manufacturing

1 in 1,999

Finance, Insurance, & Real Estate

1 in 2,200

Mining

1 in 2,225

One successful attempt can do serious harm to a companys

reputation and credibility.

Wholesale Trade

1 in 2,226

Construction

1 in 2,349

Email Phishing Rate (Not Spear Phishing)

Transportation & Public Utilities

1 in 2,948

2013

2014

2015

1 in 392

1 in 965

1 in 1,846

Non SIC Related Industries

Energy

1 in 2,525

Healthcare

1 in 2,711

33

TABLE OF CONTENTS

2016 Internet Security Threat Report

SOCIAL MEDIA & SCAMS

Phishing Rate in Email

TT No particular company size received significantly more spam than any

other did, with a range of only 1.5 percent.

Proportion of Email Traffic in Which Virus Was

remains an effective medium for cybercriminals.

Company Size

Phishing Rate in Email

1-250

1 in 1,548

251-500

1 in 758

80

501-1000

1 in 1,734

160

1001-1500

1 in 2,212

40

1501-25002501+

1 IN

120200240

1 in 1,601

280

1 in 2,862

360

320

2013

2014

2015

Email Malware Trends

As with phishing fraud, malware distributed in emails requiressocial engineering to convince its recipient to open the attachment or to click on a link. Attachments can be disguised as fakeinvoices, office documents, or other files, and often exploits anunpatched vulnerability in the software application used to openthat type of file. Malicious links may direct the user to a compromised website using a web attack toolkit to drop somethingmalicious onto their computer.Threats like Dridex exclusively use spam email campaigns, andincorporate real company names in the sender address and inthe email body. The vast majority of Dridex spam masqueradesas financial emails, such as invoices, receipts, and orders. Theemails include malicious Word or Excel attachments with apayload that drops the actual malware designed to target onlinebanking information.The cybercriminal group behind this particular attack has usedmany different techniques for sending spam and malware: fromsimple malware attachments, hyperlinks in the message bodythat point to an exploit kit landing page, malicious PDF attachments, and document macros.Email malware has not been in decline in the same way asgeneral spam, and because of its relatively low volume incomparison, it is more subject to fluctuation. Spikes occur whenlarge campaigns are undertaken.

Email Malware Rate (Overall)

2013

2014

2015

1 in 196

1 in 244

1 in 220

Malicious File Attachments in Email

TT In 2015, Office documents were the most popular attachment type, with

2016 Internet Security Threat Report

SOCIAL MEDIA & SCAMS

Virus Ratio in Email by Industry

Communications Attacks

TT The retail sector had the highest rate of malware-borne malware in 2015,

We saw a succession of attacks and vulnerabilities in the underlying encryption used to secure email transmissions. Forexample, the Logjam attack exploits a weakness in the keyexchange mechanism that begins any encrypted exchange.

with more than one percent of email classified as malicious.

Industry Detail

Ratio of Malware in Email

Retail Trade

1 in 74

Public Administration

1 in 151

Agriculture, Forestry, & Fishing

1 in 187

Services

1 in 199

Wholesale Trade

1 in 234

Construction

1 in 240

Manufacturing

1 in 243

Nonclassifiable Establishments

1 in 277

Mining

1 in 304

Finance, Insurance, & Real Estate

1 in 310

Transportation & Public Utilities

1 in 338

Non SIC Related Industries

Energy

1 in 319

Healthcare

1 in 396

Ratio of Malware in Email Traffic by Company Size

TT The highest rate of malware in email traffic was in the 251-1000 company

size grouping. The range was 0.4 percent.

Company Size

Malware Rate in Email

1-250

1 in 184

251-500

1 in 82

501-1000

1 in 189

1001-1500

1 in 312

1501-2500

1 in 168

2501+

1 in 352

TT Customers can check their domains for Logjam, and other major

vulnerabilities, using Symantecs SSL Toolbox.

TT Use this free tool to check for major issues, such as POODLE

or Heartbleed, as well as potential errors in your SSL/TLS

certificate(s) installation.

Email EncryptionEmail encryption is valuable because it protects the privacyof messages and can help to authenticate senders. It is underthreat because of vulnerabilities in the underlying technology(see above) but also because it is not widely used.Although webmail systems such as Microsofts Outlook.comand Google Mail use encryption on the clients, and almost allemail systems prioritize encrypted transmission, a surprising proportion of email is sent in the clear using unencryptedSMTP transfers. Google reports that in 2015, around 57 percentof inbound emails were encrypted compared with 51 percentthe year before. The number of outbound encrypted emailsrose from 65 percent to 80 percent in the same period. It isntunusual for some spam to be sent using encryption. As long agoas 2010, the Rustock botnet used TLS encryption as a means todisguise the spam it was sending.Good desktop and gateway email encryption tools do exist,including Symantecs own, but companies need to make betteruse of the technology available to them to protect email intransit and at rest.

35

TABLE OF CONTENTS

2016 Internet Security Threat Report

SOCIAL MEDIA & SCAMS

Email Security Advice

Looking Ahead

Organizations and individuals need to realize that even if they

do not think they are an obvious target for cybercriminals, itdoes not mean they are immune.

With a continual three-year decline, we expect phishing attacks

to remain at least at current levels, if not decline further.Phishing attacks have become more targeted, and less scattergun. Many attacks have shifted towards social media, adding tothe decline in email numbers. Some parts of the world suffermore from email phishing attacks than otherswith the greatestdecline in many English-speaking countries, North America andparts of Western Europe.

On a personal level, this means remaining vigilant by:

TTNot

opening emails from unknown senders

TTLooking

for the padlock and checking the encryption certificate on any sites where you enter sensitive data

TTNot

using unsecure networks when accessing sensitive data

For organizations to remain vigilant by:

TTDeployingTTEnsuring

email encryption where possible

that email is scanned for malware, spam, and

phishingTTUsing

web security systems to block access to known

phishing sites

People will continue to do more and more online, and because

Internet access and online transactions are growing in popularity among developing countries, we may even see growthin phishing attacks in these areas. For example, paying utilitybills, booking doctors appointments, applying to a university,managing frequent flyer accounts, and taking out insurance allprovide fruitful inspiration for phishing attacks.As organizations deliver more services online they need to bemindful of the need for security, and they have to work withcustomers to educate them further and build trust. In addition,they may need to consider two-factor authentication to ensurecustomer confidence and reduce the cost of phishing fraud.As we have noted, cybercriminals are increasingly movingtowards more complex email threats, where malware authors,ransomware creators, phishers, and scammers will seek toexploit what they perceive to be the weakest link in the chainhumans. Social engineering, or head hacking, is a vitalingredient to any would-be attacker that is trying to gain accessto systems that hold potentially valuable information.

36

TABLE OF CONTENTS

2016 Internet Security Threat Report

TARGETED ATTACKS

TARGETED ATTACKSTARGETED ATTACKS,SPEAR PHISHING, ANDINTELLECTUALPROPERTY THEFTWidespread, persistent, andsophisticated attacks againstgovernment organizations andbusinesses of all sizes pose greaterrisks to national security and theeconomy. The number of zero-dayvulnerabilities grew, and evidenceof them being weaponized foruse in cyberattacks was revealed.Spear-phishing campaigns becamestealthier, targeting fewer individualswithin a smaller number of selectorganizations.SHARETHIS

Persistent AttacksIn February 2015, 78 million patient records were exposed ina major data breach at Anthem, the second largest healthcareprovider in the US. Symantec traced the attack to a well-funded attack group, named Black Vine, that has associations witha China-based IT security organization, called Topsec. BlackVine is responsible for carrying out cyberespionage campaignsagainst multiple industries, including energy and aerospace,using advanced, custom-developed malware.Other high-profile targets of cyberespionage in 2015 includedthe White House, the Pentagon, the German Bundestag, and theUS Governments Office of Personnel Management, which lost21.5 million personnel files, including sensitive informationsuch as health and financial history, arrest records, and evenfingerprint data.These attacks are part of a rising tide of sophisticated, well-resourced, and persistent cyberespionage attacks around theworld. Targets include state secrets, intellectual property suchas designs, patents, and plans, and as evidenced by recent databreaches, personal information.Symantecs continuing investigation into the Regin Trojangives us a further glimpse into the technical capabilities ofstate-sponsored attackers. It revealed 49 new modules, eachof which adds new capabilities, such keylogging, email and file

37

TABLE OF CONTENTS

2016 Internet Security Threat Report

TARGETED ATTACKS

access, and an extensive command-and-control infrastructure.

Symantec analysts commented that the level of sophisticationand complexity of Regin suggests that the development of thisthreat could have taken well-resourced teams of developersmany months or years to develop.Currently, spear-phishing and watering-hole attacks thatexploit compromised websites are the favored avenues fortargeted attacks. However, as additional layers of technologyare introduced to an organization, its attack surface expands.With businesses turning more to cloud technology and the prevalence of IoT devices, we expect to see targeted attacks seekingto exploit vulnerabilities in these systems within the next yearor two. Cloud services particularly vulnerable to exploits, suchas SQL injection flaws, will likely be targeted first. Spear-phishing campaigns exploiting misconfiguration and poor security byusers, rather than cloud service providers, will bear low-hangingfruit for the attackers.In order to remain below the radar, spear-phishing campaignshave increased in number, but have become smaller with fewerindividuals targeted in each campaign. We expect spear-phishing campaigns will soon consist of just a single target, or a fewselect individuals at the same organization. Moreover, the largerspear-phishing campaigns will likely all be conducted usingweb-based watering hole attacks, with compromised websitesexploiting highly-coveted zero-day vulnerabilities.

Zero-Day Vulnerabilities and Watering Holes

Zero-day vulnerabilities are particularly valuable to attackers.Indeed, because zero-day vulnerabilities are such a seeminglyrare commodity, attackers will closely guard their exploits sothat they may be used for longer and remain undetected.Sophisticated watering-hole attacks, using compromisedwebsites, activate only when a visitor to that website originatesfrom a particular IP address. Reducing collateral damage in thisway makes it less likely that the covert attack is discovered.Moreover, this approach also makes it more difficult for securityresearchers who may visit the website from a different location.Once an exploit is disclosed publically by the relevant vendor,these watering-hole sites will often switch to using anotherunpublished exploit for a different zero-day vulnerability inorder to remain hidden.The breach of Hacking Team in 2015 stood out because theattackers werent after money or identities; they were aftercyberweapons, such as zero-day exploits. Hacking Team isan Italian outfit that specializes in covert surveillance andespionage software marketed at government users. Previouslyunknown zero-day exploits were uncovered in the attack andmade public by the attackers. Details of weaponized zero-dayvulnerabilities and numerous Trojans used by the group wereshared within days on public forums, and within hours, exploitkit authors had integrated them into their exploit toolkits.

Diversity in Zero Days

There was an unprecedented 54 zero-day vulnerabilities foundthroughout 2015, more than doubling the number found in theprevious year. Discovering unknown vulnerabilities and figuringout how to exploit them has clearly become a go-to technique foradvanced attackers, and there is no sign of this trend changing.

Because of this, and because of their very nature we believe that thenumber of zero-day vulnerabilities yet to be discovered is much higher.

2013

Change

2014

Change

2015

23

+4%

24

+125%

54

Most of the zero days seen in 2015 target old, faithful technologies that have been targeted for years. Attackers racked up10 individual zero-day vulnerabilities against Adobes FlashPlayer during the year. Microsoft received equal attention frommalicious zero-day developers, though the 10 zero day vulnerabilities found targeting their software was distributed acrossMicrosoft Windows (6x), Internet Explorer (2x), and MicrosoftOffice (2x). The Android operating system was also targetedthrough four zero-day vulnerabilities during 2015.

Zero-Day Vulnerabilities, Annual Total

TT The highest number of zero-day vulnerabilities was disclosed in 2015,

evidence of the maturing market for research in this area.

7060

54

5040302010

13

159

12

2006 2007 2008 2009

14

23

24

2013

2014

148

2010

2011

2012

2015

38

TABLE OF CONTENTS

2016 Internet Security Threat Report

39

TARGETED ATTACKS

Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015

on average, based on 54 vulnerabilities

Vendor builds patch

Public and vendor

become aware

zero-dayvulnerabilitiesdiscovered in theHacking Teambreach

TABLE OF CONTENTS

2016 Internet Security Threat Report

TARGETED ATTACKS

What is concerning, though not surprising, is that there were

11 zero-day vulnerabilities that were used to exploit opensource software. Some exploits targeted common libraries andpackages, while others went after open source web development tools, like content management systems and e-commerceplatforms. Networking protocols were also highly targeted, withcontinued attacks against OpenSSL, as well as Samba.However, what should give most people cause for concern isthat attackers appear to be discovering and exploiting zero-dayvulnerabilities in industrial control systems (ICSs)devicesused to control things ranging from industrial manufacturing topower plants. There were seven known zero-day vulnerabilitiesduring 2015 targeting a variety of different manufacturers anddifferent devices.

Top 5 Zero-Day Vulnerabilities, Patch and Signature

Duration

Top 5 Most Frequently Exploited Zero-Day

VulnerabilitiesTT With the exception of CVE-2015-0235, the most frequently targeted zero-

day exploits were related to vulnerabilities in Adobes Flash Player.

TT This data is based on exploitation after the vulnerability has become public.

2015 Exploit

2015

2014 Exploit

2014

Adobe Flash Player

CVE-2015-0313

81%

MicrosoftActiveX ControlCVE-2013-7331

81%

Adobe Flash Player

CVE-2015-5119

14%

MicrosoftInternet ExplorerCVE-2014-0322

10%

Adobe Flash Player

CVE-2015-5122

5%

AdobeFlash PlayerCVE-2014-0515

7%

Heap-Based BufferOverflow akaGhostCVE-2015-0235

<1%

AdobeFlash PlayerCVE-2014-0497

2%

Adobe Flash Player

CVE-2015-3113

<1%

Microsoft WindowsCVE-2014-4114 OLE

<1%

TT While there were more zero-day vulnerabilities disclosed in 2015, some

were proof-of-concept, but vendors were generally quicker to provide fixes

in 2015 than in 2014..

Total Time of Exposure

Average Days to Patch

2015

295

2014

59192013

425

50

75

100 125 150 175 200 225 250 275 300 325DAYS

The motivations behind such attacks are not clear, and couldrange from geopolitical disputes to ransom-related attacks.Regardless, if not monitored carefully, such attacks could haveserious consequences in the future, and it doesnt look likely togo away anytime soon.

In the case of CVE-2015-5119, Symantec already had signatures

that were able to detect exploits four days before the vulnerability was publically disclosed. Sometimes, existing signatures canbe successful in blocking attacks exploiting new vulnerabilities,and signatures are frequently updated to block more attackseven where protection exists beforehand. Additionally, thisvulnerability was among those exposed in the breach againstHacking Team.

Spear PhishingIts not only websites that may contain hidden exploits. A previously-unknown vulnerability may be exploited to attack anorganization using an infected document attached in an email.Such an attack is known as spear phishing, and relies heavily onvery good social engineering in order to dress-up the email toappear convincing.Spear-phishing emails are sent in waves, or campaigns, to avery small group of people, often not all at once, but individually or where more than one person in an organization may betargeted. Over time, different exploits may be used against thesame people, should these attacks prove ineffective. However, inrecent years attackers quickly switch tactics after a few failedattempts in order to remain undetected. In previous years,they were more likely to continue with different exploits or bytargeting different individuals within the organization.

40

TABLE OF CONTENTS

2016 Internet Security Threat Report

TARGETED ATTACKS

Spear-Phishing Email Campaigns

TT In 2015, the number of campaigns increased, while the number of attacks

Average Number ofEmail Attacks Per Campaign

150

Campaigns1,500

Recipients Per Campaign

120

1,200

90

900

60

600

30

300

2012

Campaigns

Recipients perCampaign

Average Numberof Email Attacksper Campaign

Average Durationof a Campaign

2013

2014

businesses were being targeted more aggressively than others.

Typically, such an organization may expect to be targeted at leastfour times during the year. The attackers only have to succeedonce, whereas the businesses must thwart each and every attackto remain secure. Businesses should already be thinking aboutwhat to do when (not if) such a breach occurs.

Top Industries Targeted in Spear-Phishing Attacks

TT In 2015, we combined the Services groups (previously, Services,

CAMPAIGNS

EMAIL ATTACKS & RECIPIENTS PER CAMPAIGN

and the number of recipients within each campaign continued to fall. Withthe length of time shortening, its clear that these types of attacks arebecoming stealthier.

2015

Professional and Services, Non-Traditional) into one group. We have also

identified some of the most frequently targeted sub-sectors, including theEnergy sector, which includes some mining industries, and Healthcare,which is part of the Services category.

TT *The Risk in Group figure is a measure of the likelihood of an organization

in that industry being attacked at least once during the year. For example,if there are 100 customers in a group and 10 of them were targeted, thatwould indicate a risk of 10 percent.

Distribution

Attacksper Org

% Risk inGroup*

Finance, Insurance,& Real Estate

35%

4.1

8.7%

Services

22%

2.1

2.5%

Industry Detail

2013

2014

2015

779

841

1,305

+91%

+8%

+55%

Manufacturing

14%

1.8

8.0%

23

18

11

Transportation& Public Utilities

13%

2.7

10.7%

-81%

-20%

-39%

Wholesale Trade

9%

1.9

6.9%

29

25

12

Retail Trade

3%

2.1

2.4%

-76%

-14%

-52%Public Administration

2%

4.7

3.2%

Non-ClassifiableEstablishments

2%

1.7

3.4%

Mining

1%

3.0

10.3%

Construction

<1%

1.7

1.1%

Agriculture, Forestry,& Fishing

<1%

1.4

2.0%

Energy

2%

2.0

8.4%

Healthcare

<1%

2.0

1.1%

8 Days

9 Days

6 Days

+173%

+13%

-33%

Spear-phishing attacks are less likely to arouse suspicion with

campaigns that are smaller, shorter, and target fewer recipients. A few years ago, a targeted attack campaign may have beendirected to a hundred or more individuals, any one of whom maybecome suspicious and raise the alarm. With fewer people, thisprobability is greatly reduced.In 2015, the Finance sector was the most targeted, with 34.9percent of all spear-phishing email directed at an organizationin that industry, 15 percentage points higher than the previousyear. The likelihood of an organization in this sector beingtargeted at least once in the year was 8.7 percent (approximately 1 in 11). With so many attacks destined for this sector, some

Non SIC Related Industries

41

TABLE OF CONTENTS

2016 Internet Security Threat Report

TARGETED ATTACKS

Industries Targeted in Spear-Phishing Attacks

by Group Healthcare

Industries Targeted in Spear-Phishing Attacks

by Group Finance, Insurance, & Real Estate

TT Healthcare falls under the Services SIC group, but we have called it out here

TT Depository Institutions include organizations in the retail banking sector.

for clarity.

Distribution

Attacksper Org

% Risk inGroup*

Finance, Insurance,& Real Estate

34.9%

4.1

8.7%

DepositoryInstitutions

18.9%

5.9

31.3%

Industries Targeted in Spear-Phishing Attacks

by Group Energy

Holding & Other

Investment Offices

8.3%

2.9

11.0%

TT Energy companies are classified in the Mining category or the

NondepositoryInstitutions

3.7%

6.7

5.3%

Real Estate

1.4%

2.4

2.2%

Insurance Agents,Brokers, & Service

<1%

2.1

4.0%

Insurance Carriers

<1%

1.6

10.1%

Security &Commodity Brokers

<1%

2.2

3.7%

Industry Detail

Distribution

Attacksper Org

% Risk inGroup*

Health Services

<1%

2.0

1%

Transportation and Utilities category, depending on the nature of their

business. We have called these out here for clarity.

Industry DetailEnergy

Distribution

1.8%

Attacksper Org

% Risk inGroup*

2.0

8.4%

1.4%

3.4

Electric, Gas, &

Sanitary Services

<1%

1.6

5.7%

Coal Mining

<1%

1.0

8.1%

Oil & Gas Extraction

Industry Detail

12.3%

Industries Targeted in Spear-Phishing Attacks

by Group Public AdministrationTT The Public Administration sector includes both national, central government

agencies as well as local government.

Distribution

Attacksper Org

% Risk inGroup*

Public Administration

2.0%

4.7

3.2%

Executive,Legislative, &General

1.8%

5.7

3.6%

Justice, Public Order,

& Safety

<1%

4.3

1.1%

Administration ofEconomic Programs

<1%

1.1

7.3%

National Security &

International Affairs

<1%

2.5

3.5%

Administration ofHuman Resources

<1%

1.0

2.0%

Industry Detail

42

TABLE OF CONTENTS

2016 Internet Security Threat Report

TARGETED ATTACKS

Spear-Phishing Attacksby Size of Targeted Organization

Analysis of Spear-Phishing Emails

Used in Targeted Attacks

TT Attacks against small businesses continued to grow in 2015, although

TT Office documents, such as Word and Excel, remain popular as a delivery

many of these attacks were directed to fewer organizations, increasing by

Threat Group 9 (ATG9, a.k.a. Rocket Kitten) Iran

based state-sponsored espionage attacks on journalists,human rights activists, and scientists

TTCadelle

and Chafer Iran-based and attacking mainly

airlines, energy, and telcos in the Middle East, and onecompany in the US

TTDuke

and Seaduke State-sponsored attacks against mainly

European government agencies, high-profile individuals,and international policy and private research organizations;believed to have been around since 2010

43

TABLE OF CONTENTS

2016 Internet Security Threat Report

TARGETED ATTACKS

Infographic: Attackers Target Both Large and Small Businesses

Infographic: Atttakcers Target Both Large and Small Businesses

Attackers TargetBoth Large andSmall BusinessesLike thrown paint on a blankcanvas, attacks againstbusinesses, both large andsmall, appear indiscriminate.If there is profit to be made,attackers strike at will.The last five years have shown asteady increase in attacks targetingbusinesses with less than 250 employees.

Number of Employees

Large Enterprises 2,500+

Medium-Size Businesses 251 to 2,500Small Businesses (SMBs) 1 to 250

Spear-Phishing Attacksby Size of Targeted Organization

2011

2012

2013

2014

2015

50

39%

41%

35%

50

19%31%

31

25

22%

34%

43%

100%

3218%

30

Cyber attackers are playing the long game against

large companies, but all businesses of all sizes arevulnerable to targeted attacks. In fact, the numberof spear-phishing campaigns targetingemployees increased 55% in 2015.

and Turla Russia-based espionage spear-phishing and watering-hole attacks against governmentinstitutions and embassies; believed to have been activesince 2005

TTButterfly

Attacks against multi-billion dollar corporations

in IT, pharmaceuticals, commodities, including Facebookand Apple for insider trading

Profiting from High-Level Corporate Attacks

and the Butterfly EffectButterfly is a group of extremely well-organized, highly-capablehackers who are spying on companies with a view to profiting onthe stock market by selling market-sensitive information to thehighest-bidder. The types of information the attackers potentially had access to included emails, legal documents, policydocuments, training materials, product descriptions, and dataharvested from specialist security systems. Stolen materialssuch as these could also be valuable for insider-trading purposes.Symantec first saw these attacks in 2012 and 2013 when theycompromised some well-known companies including Apple,Microsoft, and Facebook. However, they also employ sophisticated counter-measures to cover their tracks, including encryptedvirtual command and control servers.

Timeline of Butterfly Attacks Against Industry Sectors

TT The Butterfly group has been active for a number of years, targeting

a variety of organizations, including those linked to extracting natural

resources.

TT Their use of zero-day vulnerabilities in attacks reveals a level of

sophistication that we have not seen before in commercially-motivated

attacks.

TT The graphic shows a timeline of when Butterfly attacks began against

different industry sectors.

LegalTechnologyPharmaceuticalCommodities

2012

2013

2014

2015

2016

Cybersecurity, Cybersabotage, and Coping

with Black Swan EventsA Black Swan event is an event that was unprecedented andunexpected at the time it occurred; however, after furtheranalysis, experts sometimes conclude that it could have beenpredicted. The term originates from the belief that all swans werewhite, until in 1697, black swans were discovered in Australia.If advanced cyberespionage is so common, it is perhaps curiousthat cybersabotage is not. The capabilities required to inflictphysical damage are similar to those needed for cyberespionage,and the target set is growing thanks to the proliferation of Internet-connected devices, including industrial control systems.The British Governments 2015 security and defense reviewsums up the challenges neatly:The range of cyber actors threatening the UK hasgrown. The threat is increasingly asymmetric and global.Reliable, consistent cyber defense typically requiresadvanced skills and substantial investment. But growingnumbers of states, with state-level resources, are developing advanced capabilities which are potentiallydeployable in conflicts, including against CNI [CriticalNational Infrastructure], and government institutions.And non-state actors, including terrorists and cybercriminals can use easily available cyber tools and technology for destructive purposes.The Stuxnet cyberattack on the Iranian nuclear program is thebest-known example of an Internet attack on physical infrastructure. It may be that other successful attacks have occurredin the shadows or that infections are in place, but havent beenactivated yet. It seems unlikely that the worlds critical infrastructure is immune. An attack at the end of 2014 on a Germansteel mill is a warning of potentially more serious attacks tocome.Speculations about possible cybersabotage continued into 2015with the discovery of an information-stealing threat namedTrojan.Laziok. This particular threat appears to have beendesigned for reconnaissance style attacks aimed at the energysector, particularly in the Middle East. Laziok wasnt implicitlydesigned to attack and bring down critical infrastructure, butrather to gather information about the systems it compromised.As we discussed in ISTR 20, these attacks can be just as potent asdirect attacks against critical systems, improving an attackersability to press further into an environment simply by learningmore about the types of systems they are traversing. Simplyput, if an attacker knows what types of computers he or she hasor can compromise, they can decide how to proceed in order tocarry out their malicious goals.

45

TABLE OF CONTENTS

2016 Internet Security Threat Report

TARGETED ATTACKS

Cybersabotage andthe Threat of Hybrid WarfareThe notion of hybrid threats has been around for a long time incybersecurity, traditionally referring to malware that has manydifferent attack vectorssuch as dropping malicious Trojan codeonto an infected device and infecting other code on the system,while spreading itself through email or some other means. Theterm hybrid warfare, however refers to a type of warfare thatis a combination of conventional and unconventional information and cyber warfare. According to NATO, the term appearedat least as early as 2005 and was subsequently used to describethe strategy used by the Hezbollah in the 2006 Lebanon War.It wasnt until the end of 2015 where speculations about cybersabotage turned into real indications of one such attack. OnDecember 23, a power failure hit the Ivano-Frankivisk regionin western Ukraine. Details emerged over the coming days andweeks of a multi-pronged cyber attack that not only disabledpower in eight provinces in the region, but also masked theactivity of the attackers and made it difficult to assess the extentof the outage.The malware behind the attack appears to be a potent combination of the BlackEnergy Trojan (Backdoor.Lancafdo) andTrojan.Disakil. In order to carry out the attack, the BlackEnergyTrojan was most likely used to traverse the network, allowingthe attackers to gather information about the computers theycompromised until they reached the critical systems thatallowed them to disconnect breakers, resulting in the loss ofelectricity in the region. However, it doesnt appear as thoughthe Trojan itself disconnected the power. Rather, it allowed theattackers to discover the critical systems and then gain fullcontrol of them, after which they could use the original softwareon these systems to take down the power grid.While noteworthy to this point, the attackers responsible appearto have planned the attack to such an extent that they were ableto prolong the outage beyond the point it was pinpointed as anactual cyberattack. One way they were able to do this was byperforming a telephone denial-of-service (TDoS) attack againstthe power suppliers call center, preventing customers fromcalling in, and leaving operators in the dark as to the extent ofthe outage.However, the one-two punch in the attack appears to be tiedto the use of Trojan.Disakil in the attack. A highly destructiveTrojan, Disakil was likely used to overwrite system files and wipemaster boot records on computers that operators would turn toin order to bring the power back online. So not only was thepower taken down, so too were the systems used to restore it,forcing operators to manually restore power in circumstancesthey normally would be able to do so through available software.As with any cyber attack, attribution can be difficult to determine.Based on circumstantial evidence and current geopoliticaldisputes, it is fairly easy to draw conclusions; however, there is

no smoking gun in this case. What is known is that the group

behind the BlackEnergy Trojan has been active for many yearsand has targeted multiple organizations in the Ukraine, as wellas Western European countries, NATO, and others. Around thetime of these attacks, this group was also discovered attackingmedia organizations in the Ukraine. It is likely this wont be thelast we hear of them.The cybersabotage attacks in Ukraine generated much debateabout the use and effectiveness of hybrid warfare, and it is likelythis wont be the last we hear of these types of attacks, particularly as international tensions remain high in some parts of theworld, and managing the risks from cyberterrorism moves upthe agenda for many national governments.

Small Business and the Dirty Linen Attack

Of course, small businesses have smaller IT budgets, and consequently spend less on cybersecurity than their large enterprisecounterparts. However, this trend has continued for years,in spite evidence that shows a greater proportion of targetedspear-phishing attacks each year are intended for small businesses.In 2015, 43 percent of targeted spear-phishing blocked bySymantec were destined for small businesses, compared with34 percent in 2014. Additionally, the attackers focus narrowed,concentrating on fewer companies, and approximately 3 percentof small businesses were targeted in 2015, compared with 45percent in the previous year. On average, these organizationswere targeted at least twice during the year. This shift from ascattergun approach of more widely dispersed attacks in 2014,to a more sniper-style line of attack converging on fewer targetsin 2015 also helps to keep these attacks below the radar.One of the most difficult challenges is knowing when your organization is in the sights of cyber attackers, particularly whenmost cybersecurity headlines focus on nation states vying forcompany secrets, and the tens of millions of credit card detailsand other personal data exposed in breaches. Its all too easy tobelieve that a targeted attack only happens to other companies.However, no business is too small or too obscure to become atarget and one good example that shows this is the Dirty LinenAttack.Perhaps an unlikely target, General Linens Service, Inc. is avery small company, with only one location and 35 employees.They provide a linen service to restaurants and the hospitalityindustry, including uniforms and carpet cleaning. As unlikely atargeted as it would seem for a nation state, it was a competitor, General Linen Services, LLC. that had been hidden in theirnetwork for two years. Perhaps the similar choice of companyname was deliberate, because for two years they were able tosteal customers by accessing the targeted companys invoices,allowing them to see how much they were charging, giving thema significant advantage. The question was how they achievedthis; a small business conducting cyberattacks on a rival seemed

46

TABLE OF CONTENTS

2016 Internet Security Threat Report

TARGETED ATTACKS

extreme. However, it transpired that the attackers noticed that

both companies used the same software for their web portal,and the targeted company had not changed the default administration password. This enabled the attackers to access theirdata 157 times. The good news is that General Linen Services,LLC was caught and convicted, and General Linens Service, Inc.discovered the importance of following security best practices.

Industrial Control Systems

Vulnerable to AttacksIndustrial control systems (ICSs) are found in many areas ofindustrial production and utility services worldwide, and areroutinely connected to the Internet for remote monitoring andcontrol. Uncovering vulnerabilities in these systems is a majorarea of research, emphasized by the growth in the numbers ofthese vulnerabilities in 2015.The actual number of vulnerabilities affecting ICSs is estimatedto be much higher, since many organizations standardize theirplatforms by using commercial off-the-shelf (COTS) products,such as Windows or Linux that are also subject to vulnerabilities,but which are not counted here. Furthermore, ICS managementsystems connected with enterprise networks can increase thepotential exposure to threats more typically associated withthese operating systems.

Vulnerabilities Disclosed in Industrial Control Systems

TT At least seven zero-day vulnerabilities directly related to a variety of

different ICS manufacturers and devices in 2015.

VulnerabilitiesUnique Vendors

160140

80

74135

120

60

10080

50

75

40

6040

70

30

13

20

2012

3972013

35

20

92014

10

2015

Obscurity is No DefenseThe most valuable form of protection against cyberespionage issimply to be aware that it is possible. All businesses are potentially vulnerable to targeted attacks using techniques suchas watering hole attacks and spear phishing. Small size andobscurity are no protection.Indeed, in 2015 small businesses accounted for a greater proportion (43 percent) of spear-phishing attacks, but the likelihoodof being targeted diminished. While more attacks were destinedfor that group, they were focused on a smaller, more discreetnumber of businesses (3 percent).Contrast this with large enterprises, which accounted for 35percent of the spear-phishing attacks, and 1 in 2.7 (38 percent)were targeted at least once. This suggests a much more extensivescale where campaigns were more scattergun in their approach.Having acknowledged the risk, organizations can take stepsto protect themselves by reviewing their security and incidentresponse plans, getting advice and help if required, updating thetechnical defenses, putting good personnel policies and trainingin place, and staying up to date with the latest information.

47

TABLE OF CONTENTS

2016 Internet Security Threat Report

DATA BREACHES & PRIVACY

DATA BREACHES& PRIVACY

DATA BREACHES LARGE

AND SMALLWhether an insider attack, orcriminal fraud focused on websitesand point-of-sale devices, databreaches continued in 2015, costingvictims more than ever. The numberof mega-breaches climbed tothe highest level since 2013. Thenumber of breaches where the fullextent of a breach was not revealed,increased; fewer companies declinedto publish the numbers, unlessrequired to do so by law.SHARETHIS

The State of Play

Symantec figures show the total number of breaches hasrisen slightly by 2 percent in 2015. The year also saw ninemega-breaches, surpassing 2013s record of eight breachescontaining more than 10 million identities each. Another newrecord was set near the end of the year when 191 million identities were exposed, surpassing the previous record for the largestsingle data beach.Helped in no small part by this massive breach, the overall totalnumber of identities exposed has jumped 23 percent to 429million. Whats more concerning is that this number is likelymuch higher due to the increasing tendency of organizations tolimit the information released about the extent of the breachesthey suffer. In 2015, the number of breaches reported thatdid not include a figure for identities exposed increased by 85percent, from 61 to 113. Symantec estimates the total numberof identities exposed, had these breaches been fully reported, islikely to be at least half a billion.Its a staggering number, but also one full of speculation basedon incomplete data. The median number of identities exposedper breach has decreased by around a third to 4,885 identitiesper breach. However, this does not lessen the cause for concern,but rather suggests the data stolen across breaches is morevaluable and the impact to the business greater than in previousyears.

48

TABLE OF CONTENTS

2016 Internet Security Threat Report

DATA BREACHES & PRIVACY

Timeline of Data Breaches

28

150125100

26

35

34

30

30

26

23

93

25

22

20

18

75

42

50

22 22

25

J2015

.4

.2

15

131113

17

11

11

10

250

200

200

Looking at industries across the broadest of categories, the

Services sector was impacted by more data breaches than anyother industry, both in terms of the number of incidents and thenumber of identities exposed. However, the reasons in each casediffers when looking at the sub-sectors contained within thesehigh-level classifications.The largest number of breaches took place within the HealthServices sub-sector, which actually comprised 39 percent of allbreaches in the year. This comes as no surprise, given the strictrules within the healthcare industry regarding reporting of databreaches. However, the number of identities exposed is relatively small in this industry. Such a high number of breaches withlow numbers of identities tends to show that the data itself isquite valuable to warrant so many small breaches.The sub-sector responsible for the most identities exposed wasSocial Services. However, this is largely due to the record-breaking data breach responsible for 191 million identities exposed.Removing this one breach drops Social Services to the bottomof the list. (Coincidentally, this is where it falls within the list ofsectors for number of breaches.)

150

120

100

10050

33Services

Average premiums for retailers surged 32 percent in the first

half of 2015, and the healthcare sector saw some premiumstriple. Reuters also reports that higher deductibles are nowcommon and even the biggest insurers will not write policies formore than $100 million for risky customers.

250200

150

As a result, cyber insurance claims are becoming more common.

This years NetDiligence Cyber Claims study saw claimsranging up to US$15 million, while typical claims ranged fromUS$30,000 to US$263,000. But the cost of insuring digital assetsis on the rise, contributing further to the rising overall cost ofdata breaches.

IDENTITIES EXPOSED (MILLIONS)

Top 5 High Level Sectors Breached by Number of

identities exposed in a year. At 41, the month of July also saw the highestever number of breaches in a month.

MILLIONS OF IDENTITIES EXPOSED

TT A massive breach in December 2015 helped to set a new record for

49

TABLE OF CONTENTS

2016 Internet Security Threat Report

DATA BREACHES & PRIVACY

Infographic: Facts About the Attack on Anthem

Infographic: Facts About the Attack on Anthem

Facts about the

Attack on AnthemOn January 26, 2015

78 Million

patient records were exposed.

The breach is believed to be the work of a

well-resourced cyberespionage group,which Symantec calls Black Vine. Theyappear to have access to a wide variety ofresources to let it conduct multiple,simultaneous attacks over a sustainedperiod of time. They used:

2016 Internet Security Threat Report

DATA BREACHES & PRIVACY

Top 10 Sectors Breached

Top 10 Sectors Breached

TT Health Services is denoted as a sub-sector within the Services industry,

TT The Services sector accounted for 60 percent of identities exposed, the

and 120 of the 200 breaches that occurred within the Services sector wereattributed to Healthcare.

Sector

Number ofIncidents

% ofIncidents

200

65.6%

majority of which were within the Social Services sub-sector.

Sector

Number ofIncidents

% ofIncidents

Services

259,893,565

60.6%

Services

Finance, Insurance,& Real Estate

33

10.8%

Finance, Insurance, & Real

Estate

120,124,214

28.0%

Retail Trade

30

9.8%

Public Administration

27,857,169

6.5%

Public Administration

17

5.6%

Wholesale Trade

11,787,795

2.7%

Wholesale Trade

11

3.6%

Retail Trade

5,823,654

1.4%

Manufacturing

2.3%

Manufacturing

3,169,627

<1%

Transportation& Public Utilities

2.0%

Transportation & Public

Utilities

156,959

<1%

Construction

<1%

Construction

3,700

<1%

Top 10 Sub-Sectors Breached

by Number of IncidentsSector

Top 10 Sub-Sectors Breached

by Number of Identities ExposedNumber ofIncidents

% ofIncidents

Sector

Number ofIncidents

% ofIncidents

Health Services

120

39.3%

Social Services

191,035,533

44.5%

Business Services

20

6.6%

Insurance Carriers

100,436,696

23.4%

Educational Services

20

6.6%

Personal Services

40,500,000

9.4%

Insurance Carriers

17

5.6%

Administration of HumanResources

21,501,622

5.0%

Hotels & Other Lodging

Places

14

4.6%

Insurance Agents, Brokers,

& Service

19,600,000

4.6%

Wholesale Trade - Durable

Goods

10

3.3%

Business Services

18,519,941

4.3%

Eating & Drinking Places

3.0%

Wholesale Trade - Durable

Goods

11,787,795

2.7%

Executive, Legislative, &

General

3.0%

Executive, Legislative, &

General

6,017,518

1.4%

Depository Institutions

2.6%

Educational Services

5,012,300

1.2%

10

Social Services

2.0%

10

Health Services

4,154,226

1.0%

51

TABLE OF CONTENTS

2016 Internet Security Threat Report

DATA BREACHES & PRIVACY

This calls into question how risk factors into a data breach. Anindustry may suffer a large number of data breaches or exposea large number of identities, but does this mean that the dataitself is being used for nefarious purposes?For instance, 48 percent of data breaches were caused by dataaccidentally being exposed. Personal data in these cases wereindeed exposed, be it by a company sharing data with the wrongpeople or a misconfigured website that inadvertently madeprivate records public. But was this data obtained by people withmalicious intentions? In many cases, its likely that it was not.A retired grandmother who accidentally receives someone elseshealthcare record by email is unlikely to flip this informationfor identity theft. Thats not to say it never happensjust that alarge majority of such data breaches are of a lower risk.What is a much higher risk are cases where either hackers orinsider theft was the cause of a breach. These are instanceswhere the motive was very likely to steal data. To that end, hereare some examples of high risk industries.

Top Sectors Filtered for Identities Exposed,

Caused by Hacking and Insider TheftIndustry Sector

IdentitiesExposed

Insurance Carriers

100,301,173

Personal Services

40,500,000

Administration of Human Resources

21,500,000

Insurance Agents, Brokers,

& Service

19,600,000

Business Services

18,405,914

Industry Sector

Number ofIncidents

Health Services

53

Hotels & Other Lodging Places

14

In terms of identities exposed in high-risk breaches, the

Insurance Carriers and the Insurance Agents, Brokers, & Servicesub-sectors both appear in the top five. Between these twosub-sectors lie almost half the mega-breaches seen in 2015.This presents one other interesting item: of the insurance-related breaches, almost 40 percent of them also containedhealthcare records. Given the overlap between healthcare costsand insurance companies that cover such costs, this isnt toosurprising. What is concerning here is that attackers may havefigured out that this highly prized data is available in insurance-related sectors, and in much bigger numbers than found insmall hospitals or private practices.

Business Services

14

By Any Other Name

Wholesale Trade - Durable Goods

Educational Services

Top Sectors Filtered for Incidents,

Caused by Hacking and Insider Theft

The Health Services sub-sector still tops the list for number ofincidences, but it is now followed by the Hotels & Other LodgingPlaces sub-sector. Interestingly, 100 percent of breaches in thisparticular sub-sector included credit card information, but onlyseven percent actually reported the number of identities stolen.The Business Services sector dropped from second to third placewhen looking at high-risk causes. The companies breached inthis sector are primarily dominated by online businesses andsoftware manufacturers.

The more details someone has about an individual, the easier it

is to commit identity fraud. Criminals are targeting insurance,government, and healthcare organizations to get more completeprofiles of individuals.The types of information that thieves are persuing has notchanged in 2015, save some minor changes in ranking. Realnames are still the most common type of information exposed,present in over 78 percent of all data breaches. Home addresses,birth dates, Government IDs (like SSN), medical records, andfinancial information all appear in the 40 to 30 percent range, asin 2014, though their order of appearance has changes slightly.Rounding out the top 10, email addresses, phone numbers,insurance information, and user names/passwords again appearin 10 to 20 percent range.This isnt to say credit card data isnt still a common target. Itsblack market value isnt especially high on a per-card basis, sincecredit card companies are quick to spot anomalous spendingpatterns (as are credit card owners) and stolen card data andother financial information has a limited shelf life. However,there is still an evergreen market for stolen credit card data.

User Names &

Passwords

13%

11%

Insurance

11%

910

InsuranceUser Names &Passwords

2014 Type

2014%

in order to use them. And while the transition might take a fewyears to fully implement, alongside other improvements in POSsecurity, it should make large-scale POS thefts more difficultand certainly less profitable for criminals.

The Insider Threat

While insider theft only accounted for around 10 percent of databreaches in 2015, the NetDiligence Cyber Claims study reportedthat there was insider involvement in 32 percent of the claimssubmitted in 2015. According to its CEO, a disgruntled insiderwas alleged to have been responsible for one of the most publicized data breaches of the year, at Ashley Madison. Althoughthis has not been confirmed, if true, it highlights the potentialdamage a malicious insider can inflict.

Top Causes of Data Breach by Incidents

TT The proportion of incidents involving insider theft grew from less than one

percent in 2014 to 10 percent in 2015.

100%

2014 % of Incidents2015 % of Incidents

9080706050

49%

46%

4030

Retail remains a lucrative sector for criminals, although the

introduction of the EMV standard, or chip-and-PIN paymenttechnology, in the US means the information criminals willbe able to scrape from point-of-sale (POS) devices will beless valuable. EMV is a global standard for cards equippedwith microchips, and the technology has been in use in somecountries since 1990s and early 2000s. EMV is used to authenticate chip-and-PIN transactions, and following numerouslarge-scale data breaches in recent years, and increasing ratesof credit card fraud, credit card issuers in the US are migratingto this technology in a bid to reduce the impact of such fraud.Previously, criminals could get hold of Track 2 data, whichis shorthand for some of the data stored on a cards magneticstrip. This made it easier to clone credit cards and use them instores, or even in ATMs, if they had the PIN. Track 1 stores moreinformation than Track 2, and contains the cardholders name,as well as account number and other discretionary data. Track 1is sometimes used by airlines when securing reservations with acredit card. The value of this data is reflected in the online blackmarket sale prices, with Track 2 data costing up to US$100 percard.As of October 2015, 40 percent of US consumers have EMVcards, and 25 percent of merchants are estimated to be EMVcompliant. With the move to the EMV standard, credit cards aremuch more difficult to clone, as they necessitate the use of a PIN

22% 22%

20

21% 21%8%

10

Attackers

10%

Accidentally Theft or Loss Insider Theft

Made Public of Computeror Drive

53

TABLE OF CONTENTS

Infographic: Over Half a Billion Personal Information Records Stolen or Lost in

DATA BREACHES & PRIVACY2015

2016 Internet Security Threat Report

Infographic: Over Half a Billion Personal Information Records Stolen or Lost in 2015

Over Half a Billion Personal

Information Records Stolenor Lost in 20152015 Stats12036394and more companies than ever not reportingthe full extent of their data breaches

of breachesincluded medicalrecords

The largest number of breaches

took place within the HealthServices sub-sector, whichactually comprised 39 percentof all breaches in the year.This comes as no surprise, giventhe strict rules within the healthcareindustry regarding reporting of databreaches.

Incidents

Million

IdentitiesExposed

Most of an iceberg is submerged underwater, hiding a great ice mass.

The number of reported identities exposed in data breaches are justthe tip of the iceberg. What remains hidden?

REPORTED IDENTITIES EXPOSED

78 millionpatient recordswere exposedat Anthem

22 million

personal recordswere exposed atOffice of PersonnelManagement

Total ReportedIdentities Exposednumbers in millions

4292014 34820135522015

+23%

-37%

These numbersare likely higher, asmany companiesare choosing not toreveal the fullextent of their databreaches.20142015

UNREPORTED IDENTITIES EXPOSED

?Despite companies choicenot to report the truenumber of records exposed,hundreds of millions more peoplemay have been compromised.

61Incidentsthat did notreport identitiesexposed in 2015

+85%

Given the facts,

it is possible that

500

Million*

identities wereexposed*estimated

Source: Symantec

113

54

TABLE OF CONTENTS

2016 Internet Security Threat Report

DATA BREACHES & PRIVACY

Top Causes of Data Breach by Identities Exposed

TT The proportion of identities exposed that was accidentally made public

increased to 48 percent from 22 percent in 2014.

100%9080

2014 % of Identities2015 % of Identities

82%

706050

52%

48%

4030

17%

2010

<1% <1%Attackers

AccidentallyMade Public

Theft or Lossof Computeror Drive

<1% <1%Insider Theft

The proportion of identities exposed that was accidentally made

public increased to 48 percent from 22 percent in 2014.Insider threats have always been a hot topic in cybersecurity,but in 2015, government bodies not only started to take noticeand take action.TTMore

than three-quarters of US government agencies

surveyed in the MeriTalk Federal Insider Threat Report saytheir agency is more focused on combating insider threatstoday than one year ago.

TTThe

UKs Centre for Defence Enterprise sponsored several

projects in 2015 aimed at monitoring employee digitalbehaviour to predict and identify insider threats in realtime, as well as learning simulators to help people spot risk.

Privacy Regulationand the Value of Personal DataCybercriminals are not only interested in who can hack, butalso who can leak. Whether data may be stolen in a databreach, accidentally leaked, or even posted online legitimately in the past, personal data has a value in the undergroundshadow economy. Until relatively recently, many people did notrecognize the potential value in personally identifiable information, and often were very lackadaisical in safeguarding it.The advent of social media in the last decade has enabled morepeople to share more personal data than at any time in history,and privacy controls were not at the forefront of many socialnetworking applications.Personal data can and will be used to commit crimes, whetherto conduct identity fraud, or to enhance the social engineeringin phishing scams, or even as part of the reconnaissance in theprelude to a targeted attack. The recognition of the potentialvalue of this data in the wrong hands has resulted in social

networking services enhancing and tightening their privacy

controls, and more people regarding their personal data withgreater respect. For example, the European Court of Justicesright to be forgotten ruling rippled through the data-gathering community in May 2014 and by the end of 2015, Google hadreceived 348,085 requests to delist specific search results.While many thought this would only be of benefit to thosewanting to hide scandal or avoid incrimination, according toGoogles FAQ, some of the most common cases for removalare sites that contain personal contact or address informationor content that relates solely to information about someoneshealth, sexual orientation, race, ethnicity, religion, politicalaffiliation and trade-union status.And the European Court of Justice sharpened the publics focuson privacy again this year when it ruled the 2000 Safe Harboragreement to be invalid. As Monique Goyens, director generalof the European Consumer Organisation explained, the rulingconfirms that an agreement which allows US companies tomerely declare that they adhere to EU data protection ruleswithout any authority screening this claim is clearly notworth the paper it is written on. As The Guardian newspapercommented at the time, it may help stop the US governmentfrom being able to gain access to user data from the EU andmay open the door to further probes, complaints, and lawsuitsfrom users and data regulators.However, in February 2016, The European Commission and theUS agreed on a new framework for transatlantic data flows:the EU-US Privacy Shield. The new framework was designedto address the requirements set out by the European Court ofJustice after ruling the old Safe Harbor framework invalid. Thepress release states, The new arrangement will provide strongerobligations on companies in the US to protect the personal dataof Europeans and stronger monitoring and enforcement by theUS Department of Commerce and Federal Trade Commission(FTC), including through increased cooperation with EuropeanData Protection Authorities.Surveying seven thousand people across Europe, Symantecs2015 State of Privacy Report shows that in the UK alone, 49percent of consumers are worried their data is not safe. Andacross the EU, technology companies (22 percent), retailers (20percent) and social media companies (10 percent), were the leasttrusted. Symantec sees the lack of trust in these companies as areputational issue, possibly stemming from recent high-profiledata breach incidents.We expect that reluctance to share personal information willgrow and begin to change online behavior among consumers.One of the major reasons data privacy is becoming such aconcern is because there is now a clear understanding amongstconsumers that their data holds value. Providers of technologyservices should take heed when it comes to data privacy, becauseuntil the technology sector can be trusted to do the right thingby its consumers to safeguard that data, more work will need

55

TABLE OF CONTENTS

2016 Internet Security Threat Report

DATA BREACHES & PRIVACY

to be done in the coming years to build and sustain the level of

trust needed.As data breaches proliferate and peoples lives increasinglymove online, we expect to see more regulation and more judicialinterest in the protection of individual privacy in 2016 andbeyond. Businesses need to be more transparent with customerson how they are keeping data secure. Security needs to beembedded into a companys value chain, but it should also beviewed internally as a customer-winning requirement, and notjust a cost.Ilias Chantzos, senior director in government affairs atSymantec commented, There is a real consistency emergingthat privacy is a competitive advantage for businesses and thatprivacy concerns also determine consumers behaviour. It iscritical to ensure consumers are empowered to understand whattheir data is being used for and how it is protected.

Reducing the Risk

While these are important steps, a large number of databreaches could also have been prevented with basic commonsense, including:TTPatching

vulnerabilities

TTMaintainingTTDeployingTTUsing

good software hygiene

effective email filters

intrusion prevention and detection software

TTRestricting

third-party access to company data

TTEmploying

encryption where appropriate to secure confidential data

TTImplementing

data loss prevention (DLP) technology

Of course, all of these relate to preventing outsider attacks.

When it comes to mitigating the risk of malicious or accidental insider threats, organizations need to focus on employeeeducation and data loss prevention.Basic security hygiene should be drilled into employees thesame way the public are told to cover our mouths when wecough or sanitize our hands in hospitals. Organizations shouldalso be making use of data loss prevention technology to locate,monitor, and protect their datawherever it is within the organizationso that they know who is doing what, with what data,in real time. DLP can block certain types of data from leaving anorganization, such as credit card numbers and other confidential documentation.Security should be an essential part of operations and employeebehavior, rather than an add-on or something to appeaseauditors. Data breaches are unlikely to stop any time soon, butthe scale and impact of them could certainly be reduced if organizations recognized that security goes well beyond the boundsof the CIO or the IT manager. Security is in every employeeshands.

56

TABLE OF CONTENTS

2016 Internet Security Threat Report

E-CRIME & MALWARE

E-CRIME & MALWARE

THE UNDERGROUND ECONOMYAND LAW ENFORCEMENTThe underground economy isbooming and cybercrime isgrowing fast, but as we have seenwith the growing number of highprofile arrests and takedowns in2015, wherever the cybercriminalsmay be, law enforcement is nowcatching-up with them much morequickly. Ransomware attacks havediversified, including targeting Linuxweb servers, and a growth in cryptoransomware.SHARETHIS

Business in the Cyber Shadows

Cybercriminals are more professional and are much bolder, notonly in the targets they go after, but also the sums of money theyseek. These criminal enterprises see themselves as a fully-functioning business, covering a multitude of areas, each with theirown speciality. Just as legitimate businesses have partners, associates, resellers, and vendors, so do those enterprises operatingin the shadows.While prices for email addresses on the black market havedropped in recent years, credit card prices have remainedrelatively low but stable. However, if they come with luxurydataverification that the sellers accounts are still active orthat a credit card has not yet been blockedthey now fetch apremium price.At the other end of the market, a drive-by download web toolkit,which includes updates and 24x7 support, can be rented forbetween US$100 and US$700 per week, while distributeddenial-of-service (DDoS) attacks can be ordered from US$10to US$1,000 per day. And at the top of the market, a zero-dayvulnerability can sell for hundreds of thousands of dollars.Moreover, these figures have changes very little since 2014.

57

TABLE OF CONTENTS

2016 Internet Security Threat Report

58

E-CRIME & MALWARE

Stand and Deliver

Ransomware has become increasingly dominant in recent yearsand in 2014 many expected to see this trend continue. However,while we have seen ransomware attacks diversify, the growth involume has not been seen. Attacks have moved to mobile devices,encrypting files, and anything else an owner will pay to recover.

Growing Dominance of Crypto-Ransomware

(Fake AV), locker ransomware and crypto ransomware identified between

2005 and 2015.

Misleading Apps

FakeAV

Lockers

Crypto-Ransomware

100%

no middlemen for the criminal to pay and nothing to mitigate

the losses to the victim, thus maximizing the profits.One crypto-ransomware tactic that seeks to increase thepressure on victims to pay-up, threatens to destroy the onlycopy of the secret key after a certain time, with the encrypteddata potentially lost forever.

Crypto-Ransomware Over Time

TT While more traditional locker-style ransomware is showing a rapid decline,

crypto-ransomware continues to grow. Crypto-ransomware employs very

strong, ostensibly unbreakable key-based cryptography to hold a victimspersonal files to ransom by encrypting them with a key that only thecriminals have access to.

50,000

9040,000

8070

30,0006050

20,000

4010,000

302010

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC201505

06

07

08

09

10

11

12

13

14

15

In 2015, one Symantec researcher demonstrated that smart TVs

were potentially vulnerable to ransomware, although this hasnot yet been observed in the wild.

Crypto-Ransomware as Percentageof All RansomwareTT Although the chart indicates a steady decline in traditional ransomware in

2015, crypto-ransomware now accounts for the majority of all ransomware.

Some ransomware now also threatens to publish the victims

files online unless they payan interesting and sinister twist,which is likely to increase since the traditional advice of keepingeffective backups, does not help in this scenario.

Credit card fraud involves several people to conduct, and

consumer legislation ensures the victims financial loss isminimized. In contrast, an attacker can obtain a ransomwaretoolkit from an underground source, and target their intendedvictims, who may have few alternatives but to pay-up. There are

Crypto-RansomwareCrypto-Ransomwareas % of All Ransomware

100%

500

THOUSAND

Never before in the history of human kind have people across

the world been subjected to extortion on a massive scale as theyare today. But why are criminals favoring ransomware, especially crypto-ransomware? With the glut of stolen information onthe black market and the introduction of the more secure EMVstandard (chip-and-PIN) payment cards for card payments inthe US, the potential profit criminals can gain by exploitingstolen credit card details had reduced.

Ransomware600

908070

400

6050

300

40200

3020

100

10

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC2015

TABLE OF CONTENTS

2016 Internet Security Threat Report

59

E-CRIME & MALWARE

RansomwareDiscoveries

LockDroid

KeRanger

CryptoAppEncryptor RaaS

Ransomware DiscoveriesZerolockerCryptowall

2005

Urausy

Reveton

2012 2013Q1

Q2

Q3

Onion

Q4

Kovter

2014Q1

Q2

BandarChor

Q4

Browlock

Slocker

Synolocker

2015Q1

Q2

Q3

Global Issues, Local Attacks

With the build up to the presidential elections in the US, spamthat leads to malware has been circulating that uses the USpresidential primaries as bait. Spammers know how to play intovisceral, emotive themes, like global events, the refugee crisisin the Middle East, immigration, and foreign policy issues, theeconomy, and even terrorism.In January 2015, the Twitter and YouTube accounts of the USmilitary command were hacked by self-styled supporters of thejihadist terrorist group, ISIS (a.k.a. IS, ISIL or Daesh). US CentralCommand commented that it was, cyber-vandalism ratherthan a serious data breach.However, in April 2015, French television network TV5 Mondereported that it had been hacked by a group claiming to belongto the terrorist group, ISIS. According to reports, its TV stationwas brought to a standstill, and its website and social mediapages were also disrupted in the attack. The hackers posted

Q4

Dumb

VirLock

2016Q1

Ransom32

73v3nCryptoJocker

Pacman

Mabouia OSX POC

Pclock

Power Worm

Hidden Tear

Ransomware also targeted Linux web servers in 2015, encrypting

files associated with web applications, archives, and back-ups.The evolution of Linux ransomware has also mirrored that ofWindows ransomware: initial versions were basic, and oftenused poor encryption, making it relatively simple to recoverencrypted files. However, just like with Windows ransomware,we can expect the criminals behind this new trend to quicklylearn from their mistakes, and become more sophisticated in thefuture.

UmbrecryptLocky

Threat Finder

Source: Symantec

Hydracrypt

Simplocker

CTB-Locker/Citron

Vipasana

LowLevel404

Cryptolocker2015

Linkup

Hi Buddy

CryptInfinite

TeslaCrypt

Q3

Job Cryptor

Unix.Ransomcrypt

Cryptvault

TorrentLocker

Nymaim

Radamant

Tox

PayCrypt

VaultCrypt

TroldeshCoinvault

Gpcoder

XRTN

ORX-Locker

NanolockerLeChiffre

DMA-LockerGomasom

MagicGinx

Chimera-Locker

documents that purported to be the identity cards, and CVs of

relatives of French soldiers involved in anti-ISIS operations inIraq and Syria.Both examples highlight a clear-cut case of terrorists usingcyberthreats as an instrument to amplify their messages. TheInternet has become not only tool only for online radicalization,but also for communication between terrorist groups, and forfinancing their operations. As a consequence, the calls for lawenforcement to break encryption protocols are likely to have awider and long-lasting impact on the technological integrity ofInternet communications as a whole.In a refereence to terrorism, one recent email campaign impersonated local law enforcement officials in the Middle East andCanada, tricking people into downloading malware by posingas security tips that would keep the intended victim safe frompotential terror attacks in their location. The email spoofed theaddresses of law enforcement agencies and included the namesof officials who were all still in office at the time of the campaign.The subject lines in the emails often reflected the name of anemployee who worked within the targeted company.To make this type of attack convincing requires some degree ofresearch, and here we have seen that this group did so beforesending these phishing emails. Furthermore, without anyemployee information, they would email other people in thecompany as an entry point, such as customer services or ITpersonnel.

TABLE OF CONTENTS

2016 Internet Security Threat Report

E-CRIME & MALWARE

This level of research and localisation indicates a growing professionalism, and is becoming increasingly common in botnetscams. The underground economy isnt just about selling stolengoods: its an entire industry with the talented professionals andorganisations you would expect in a legitimate business sector.

Botnets and the Rise of the Zombies

As with many other industries, up and coming economies,such as China in particular, has become a favoured as target forcybercrime in 2015. One significant factor has been a growthin broadband adoption in the last year. In 2013, the ChineseGovernment announced plans to expand broadband coveragefor both rural and urban areas by 2020. One of the milestonesfor the multi-pronged strategy aimed to bring fixed broadbandconnections to 400 million Chinese households by 2015. Inaddition, prices have been kept low as broadband speeds haveincreased. All of this make the country an attractive target forcybercriminals seeking to compromise a fresh source of highspeed, internet-connected computers.

The Dyre Consequences and Law Enforcement

After police shut down several major financial botnets in 2014,Dyre stepped up to take their place. Not only could Dyre hijackcommon web browsers and intercept Internet banking sessionsto steal information, it could also download additional malwareto the victims computer, binding it to the perpetrators networkof botnet computers.

Dyre Detections Over Time

TT The chart shows a decline in Dyre malware activity long before the botnet

was disrupted in November 2015. This may be an indication of an already

weakened business model.

35,00030,00025,00020,000

Malicious Activity by Source: Bots

15,000

TT China was the origin of much more bot activity in 2015, seeing a sharp

10,000

rise of 84 percent in bot-related activity in that country. Bot activity in the

US by contrast, fell by 67%. Successful law enforcement activity againstcybercriminals, and heightened cybersecurity awareness are bothcontributing factors in the decline of bots in general.

2015Country/Region

2015Bots %of Global

PercentChange Botsin Country/Region

5,000

J J A S O N D J F M A M J20142015

2014Country/Region

2014 BotsPercentageof Global

China

46.1%

+84.0%

China

16.5%

UnitedStates

8.0%

-67.4%

UnitedStates

16.1%

Taiwan

5.8%

-54.8%

Taiwan

8.5%

Turkey

4.5%

+29.2%

Italy

5.5%

Italy

2.4%

-71.2%

Hungary

4.9%

Hungary

2.2%

-69.7%

Brazil

4.3%

Germany

2.0%

-58.0%

Japan

3.4%

Brazil

2.0%

-70.1%

Germany

3.1%

France

1.7%

-57.9%

Canada

3.0%

10

Spain

1.7%

-44.5%

Poland

2.8%

J A S O N D

Dyre had initially emerged as one of the most dangerous

financial fraud operations, configured to defraud the customersof more than 1,000 banks and other companies worldwide.However, the cybercrime group controlling the Dyre financialfraud Trojan suffered a major blow following a Russian lawenforcement operation in November. As outlined in a SecurityResponse blog, Symantec telemetry has confirmed a virtualcessation of the groups activities. Dyre (detected by Symantecas Infostealer.Dyre) was spread through email campaigns andno Dyre-related email campaigns have been observed sinceNovember 18, 2015. Detections of the Dyre Trojan and associated malware dropped dramatically soon after. Previously, thenumber of infections was estimated to be above 9,000 per monthin early 2015. In November it fell to below 600 per month.Law enforcement has become more effective at catching cybercriminals like these, and high-profile successes at disruptingthem shows how coordinated, international efforts can paydividends. Rarely is an attack group confined to one country, andwith major groups spanning multiple jurisdictions, cross-border cooperation with law enforcement is an important factorto ensure that these successes continue to strike a blow againstcybercriminals. We expect to see still more successful lawenforcement operations against cybercriminals in the next year.

60

TABLE OF CONTENTS

2016 Internet Security Threat Report

E-CRIME & MALWARE

As the risks for the cybercriminals intensify, the potential

rewards will diminish, raising the barrier to entry for anywould-be cybercriminals. Other notable successes in 2015included:takedown. The Dridex botnet specialized in stealingbank credentials. In October, an international law enforcement operation coordinated efforts to sinkhole thousands ofcompromised computers, cutting them off from the botnetscontrol, and saw one man charged. However, this may havebeen a partial success as Dridex continues to propagate,indicating that many key elements of the operation are stillfunctioning. As such, we expect the group to continue topose a serious threat during 2016.

TTDridex

TTSimda takedown. In April, infrastructure owned by the Simda

botnets controllers, including a number of command-andcontrol servers, was seized by law enforcement. According toInterpol, Simda was used by cyber criminals to gain remoteaccess to computers enabling the theft of personal details,including banking passwords, as well as to install and spreadother malware.seizure. In February, a law enforcement operationled by Europol and assisted by, among others, Symantec andMicrosoft, seized servers and other infrastructure owned bythe cybercrime group behind the Ramnit botnet.

TTRamnit

TTMulti-national

banking and financial services fraud-related

indictments. Federal authorities indicted at least four men inconnection with hacking incidents that resulted in the theftof over 100 million customer records. They were chargedwith hacking into multiple financial institutions and foroperating a stock pump-and-dump scheme. One of theattacks occurred in 2014, and netted more than 80 millioncustomer records, a breach that the US Justice Department dubbed the largest theft of customer data from a USfinancial institution in history.

Cybercrime and Keeping out of Harms Way

Organizations and individuals need to realise that even if theydont think theyre an obvious target for cybercriminals, itdoesnt mean theyre not one.The key is to remain vigilant both on a personal level by:TTNot

opening emails from unknown senders.

TTLooking

for the padlock and checking the SSL certificate on

any sites where you enter sensitive data.

TTNot

using unsecured networks when accessing sensitive

data.

Remain vigilant at an organizational level by:

TTDeploying

intrusion prevention and detection software.

TTKnowing

what valuable data you have and harnessing data

loss prevention technology.

TTMonitoringTTEnsuring

where data is, and who has access to it.

you have a good incident response plan for when

an attack is detected. Its not a question of what to do if anattack occurs, but when.

61

TABLE OF CONTENTS

2016 Internet Security Threat Report

CLOUD & INFRASTRUCTURE

CLOUD &INFRASTRUCTURE

COMPUTERS, CLOUD COMPUTING

AND IT INFRASTRUCTUREIT systems continue to comeunder attack from rapidly evolvingmalware. No operating system isautomatically immune, and malwarethreats against Linux and MacOS X are increasing. Even cloudhosted and virtualized systems arevulnerable. Malware is able to seekout virtualized environments andinfect them.SHARETHIS

Protecting the System

The days of an operating system avoiding attacks simply by notbeing Windows is long behind us. Attacks against Mac OS X andLinux have both increased considerably in 2015 and cybersecurity is a necessity across the board for all operating systemsnotjust for Windowsto avoid the consequences of attack.Cybersecurity affects everyone. Businesses need to protect theircomputers and IT infrastructure to stop data theft, fraud, andmalware attacks. Likewise, businesses and consumers shouldbe concerned about ransomware holding their data hostage,identity theft, and attackers using their computers as a springboard to attack others.At a fundamental level, cybersecurity is about protecting thesinews of IT everywhere: computers, servers, and networks. Theproblem is that malware is ubiquitous. In 2015, we have seenmany more systems come under attack, including Linux, Macs,virtualized computers, and cloud systems. Each year, the cloudhandles more of our data, whether it is for customer relationship management, invoicing services, social networking, mobileemail, and a whole gamut of other applicationsOne route for attacks is through exploiting vulnerabilities, andmost systems have vulnerabilities. These exist in the operatingsystems and applications used on them, and are an importantaspect of cybersecurity. If left unpatched, a vulnerability may

62

TABLE OF CONTENTS

2016 Internet Security Threat Report

CLOUD & INFRASTRUCTURE

leave the path clear for would-be attackers to exploit them

and use them for malicious purposes. Each year, researchersuncover new vulnerabilities, and the most coveted of these arezero-days, a special type of vulnerability for which a patch is notyet available.

Nothing Is Automatically Immune

In the last year, Symantec has seen threats to almost every kindof computer, operating system, and other essential IT services,including:OS X. In addition to more vulnerabilities beinguncovered in 2015, proof-of-concept ransomware andseveral methods for Trojans to gain unauthorised access toaffected computers were also discovered.

TTMac

Total Number of Vulnerabilities

TT The chart suggests an inflection towards a downward trend since 2013,

Symantec researchers discovered malware that

There was a rapid growth in Linux malware in 2015,

including attack kits that hackers can use to infect unpatchedLinux web servers.

TTLinux.

systems. Even virtualised systems are not

immune. Sixteen percent of malware is routinely able torecognize and exploit a virtual machine environment, andvulnerabilities such as VENOM could allow an attacker toescape an infected virtual machine and attack others on thesame system, or even attack the host hypervisor.

TTVirtualised

3,0002,0001,000

2006 2007 2008 2009

2010

2011

2012

2013

2014

2015

Germophobes may not like it, but bacteria and viruses coverevery surface. They live on our skin and in the air, and theyare not going away. Likewise, vulnerabilities are a part of thecomputing environment. They are not going away either, and aslipshod approach to patchingwhether through carelessness,misconfiguration, human error, or negligenceis a major causeof malware infections. Well-managed, well-patched systems aremuch less likely to become infected.

Mac OS XApples Mac OS X operating system was targeted for a varietyof attacks in 2015, including a proof-of-concept ransomwarethreat called Mabouia (detected as OSX.Ransomcrypt), the firsteffective file-based ransomware threat against OS X. Previously,browser-based threats against Macs have been found, includingransomware targeting Safari through a malicious website.Moreover, the volume of OS X malware has doubled (100%growth) since the start of 2015. In Q1, Symantec blocked approximately 3,650 attacks each day, rising to 7,255 by the end of Q4.

Mac OS X Malware Volume

300,000270,000240,000210,000180,000150,000120,00090,00060,00030,000

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC2015

63

TABLE OF CONTENTS

2016 Internet Security Threat Report

CLOUD & INFRASTRUCTURE

Top Ten Mac OS X Malware Blocked

on OS X Endpoints

Linux Malware Volume

TT In 2015, Symantec saw a surge in malware targeting Linuxthe most

TT Many OS X malware variants were additionally blocked using generic

detection for which specific definitions are not created. Generic detectionprotects against many Trojans that share similar characteristics.

common operating system on website servers, among other essential

Internet services.

300

Rank

MalwareName

Percent ofMac Threats2015

MalwareName

Percentof MacThreats2014

OSX.Sudoprint

42.0%

OSX.RSPlug.A

21.2%

OSX.RSPlug.A

16.8%

OSX.Okaz

12.1%

OSX.Klog.A

6.6%

OSX.Flashback.K

8.6%

OSX.Keylogger

5.6%

OSX.Keylogger

7.7%

OSX.Wirelurker

5.0%

OSX.Stealbit.B

6.0%

OSX.Luaddit

3.2%

OSX.Klog.A

4.4%

OSX.Flashback.K

3.1%

OSX.Crisis

4.3%

OSX.Crisis

2.1%

OSX.Sabpab

3.2%

OSX.Okaz

1.7%

OSX.Netweird

3.1%

10

OSX.Stealbit.B

1.6%

OSX.Flashback

3.0%

Linux in the Firing Line

Although the overall volume is lower by comparison, the numberof malware attacks against Linux has risen has risen almostfourfold (286 percent increase) since the start of the year. In Q1,Symantec blocked approximately 1.3 attacks each day, rising to5.2 by the end of Q4.

250200150

10050

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC2015

Top Ten Linux Malware Blocked

on Linux EndpointsTT Fifty-five percent of Linux malware in 2015 related to variants of Linux.

Xorddos, a Trojan horse that opens a back door on the compromised

computer and includes a rootkit device that can hide network traffic andother files. It may also download other potentially malicious files.

Rank

Malware Name

Percent of LinuxThreats 2015

Linux.Xorddos

54.9%

Linux.Dofloo

13.9%

Linux.Wifatch

12.7%

Linux.Shelock

4.2%

Linux.Spalooki

3.9%

Linux.Kaiten.B

3.8%

Linux.Mumblehard

2.4%

Linux.Moose

1.6%

Linux.Raubdo

1.0%

10

Linux.Xnote

0.5%

Linux is ubiquitous, and one server may accommodate thousands

of websites within the datacenter of any hosting provider. Linuxhas become an attractive target for hackers because with access

64

TABLE OF CONTENTS

2016 Internet Security Threat Report

CLOUD & INFRASTRUCTURE

to one server, an attacker can potentially infect all of the websites

hosted on it, and in turn all of their visitors and customers.Attackers will often contaminate compromised web servers withcode that links to exploit toolkits, or they to send spam emailsand steal usernames and passwords. Additionally, compromisedweb servers are often a springboard from which an attacker willconduct a wide variety of other attacks, including very powerfulDDoS attacks, where the bandwidth of a hosting provider isconsiderably greater than that of a home-user with a broadbandconnection.A proliferation of specialized, automated attack toolkits haveemerged, making it easier for cyber criminals to carry attacksagainst Linux systems. These toolkits help attackers to sniff-outpotentially vulnerable servers, scanning for insecure contentmanagement systems and other exposed web applications.Ransomware targeting Linux was also uncovered in 2015,targeted in particular files with extensions associated with webapplications. The program also encrypted archives and directories that contained the word backup, making it particularlydifficult for anyone without offsite backups.

Cloud and Virtualized Systems

The term cloud computing covers a wide variety of technicalsolutions and environments, including software-as-a-service(SaaS), platform-as-a-service (PaaS), or infrastructure-as-a-service (IaaS) models. IaaS is growing in popularity amongbusinesses, and as more data and services move to the cloud,it is attracting more attention from security researchers andcybercriminals. As with any system, each time a new layeris introduced to a service stack, the attack surface increases.While cloud environments may suffer from common vulnerabilities, such as SQL injection flaws, they may also be impactedby other issues. For example, in 2015, Symantec found thatmisconfiguration and poor management (by users, not cloudservice providers) left cloud-hosted systems vulnerable tounauthorized access. Additionally, 11,000 publicly accessiblefilessome containing sensitive personal informationwerealso unearthed. Stolen credentials for cloud-based systems areregularly traded on underground markets, typically for less thanUS$10.

Cloud VulnerabilitiesIt is not necessarily the case that cloud systems are inherentlyless-secure than traditional IT services. Nevertheless, administrators need to ensure that the cloud services they use areproperly configured and all data is adequately protected. Theyshould take care to control access to their cloud systems, preferably with two-factor authentication.

Vulnerabilities, like VENOM, could allow an attacker to escape

from a guest virtual machine (VM) and access the native hostoperating system, along with other VMs running on the sameplatform. Attackers exploiting the VENOM bug could potentially steal sensitive data on any of the virtual machines on theaffected system, and gain elevated access to the hosts localnetwork and its systems. The VENOM bug (CVE-2015-3456)existed since 2004 in the open-source hypervisor QEMU, whichis often installed by default in a number of virtualized infrastructures using Xen, QEMU, and KVM. However, it is importantto note that VENOM does not affect VMware, Microsoft Hyper-V,and Bochs hypervisors.To date, the VENOM bug has not known to have been exploitedin the wild, and QEMUs developers and other affected vendorshave since created and distributed patches for VENOM.One in six (16 percent) malware variants is able to detect thepresence of a virtualized environment, compared with one infive (20 percent) in 2014. This ability can help the malware tobetter evade detection, particularly on security sandboxingsystems using virtualization. More concerning is that an attackmay detect when it is able to exploit and infect other virtualmachines on the same system.

Proportion of Malware Samples

That Are Virtual Machine AwareTT Approximately 16 percent of malware is routinely able to detect and identify

the presence of a virtual machine environment, peaking at around 22

percent in Q4.

25%

2220

20

1615

15

17

16

22

19

17

1612

10

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC2015

Having a robust security profile for virtual systems is now more

important than ever. Virtual machines and cloud services needsecuring in the same way as other services and devices. Policiesshould cover the virtual infrastructure as well as the physicalone, and the use of integrated security tools across all platformswill help to mitigate such problems in the future.

65

TABLE OF CONTENTS

2016 Internet Security Threat Report

CLOUD & INFRASTRUCTURE

Protecting the IT infrastructure

In the face of these threats, and many others like them, the oldadvice holds good for any infrastructure services, including fileservers, web servers, and other Internet-connected devices:TTStay

informed about emerging threats.

TTKeep

systems up to date with patches and updates.

integrated security software, including anti-malware

technology.

It is important for the CIO to understand what the organization

is doing, and whether certain teams are looking for services orapplications that are not provided for, then determine how toaddress that need and offer that service in a secure fashion.Having the right processes is key to protecting information anddata, even when it is not housed inside the enterprise.

event logging to keep track of who is accessing data

the cloud providers service-level agreements to learn

cloud IP addresses in vulnerability management

processes and perform audits on any services that areprovided through the cloud.

Protect Information Wherever It Is

As companies move their IT systems to virtual and cloud-hosted environments, they face new security challenges. In addition,as ever, human nature itself is a threat, with poorly-managedsecurity leading to shadow IT systems. Shadow IT refers tosolutions used inside organizations without explicit organizational approval, and solutions used by departments other thanthe IT department. It can sometimes be all too easy for a groupof employees to turn to external products to fulfil an immediateneed. IT decision makers should understand what is influencing their employees to turn to these solutions, and when the ITdepartment should be involved to help shape those decisions.

DDOS ATTACKS AND BOTNETS

Distributed denial-of-service (DDoS)attacks are growing in numberand intensity, but most last for 30minutes or less. The availability ofbotnets-for-hire has fueled thisincrease and we are likely to seethe Internet of Things provide morefodder for these botnet armies.SHARETHIS

DDoS at LargeSome DDoS attacks can still afford criminals many opportunities for financial reward through extortion and blackmail bydisrupting an organizations website. Following the money trailmade this more difficult and DDoS mitigation technologiesmeant the attackers needed greater and greater bandwidth inorder to make an impact. More recently, however, it is hacktivistgroups and sometimes state actors that are complicit in some ofthe biggest attacks.The recent attack on the BBC, which saw its website and associated services including iPlayer (the BBCs Internet catch-upTV and radio service in the UK) taken down for several hourson New Years Eve, is a prime example. It is thought to be thebiggest ever DDoS attack, according to New World Hacking, theanti-Islamic State organisation that claimed responsibility. Theattackers claimed that the BBCs scale offered a chance for themto test their capabilities and claim the attack reached a peak of602 Gbps.There are rewards to be gained through a DDoS attack, themost obvious being blackmail. Victims are threated to pay orhave their sites remain under attack. DDoS has also been usedas a distraction tool in conjunction with some high-profiletargeted attacks in 2015, where attackers flooded the website ofthe targeted organisation, leaving the IT team believing it wasthe prelude to a ransom demand. In reality, another, stealthierattack was quietly taking place at the same time.

66

TABLE OF CONTENTS

2016 Internet Security Threat Report

CLOUD & INFRASTRUCTURE

DDoS Attack Volume Seen by Symantecs Global

Intelligence NetworkTT The chart shows the number of DDoS attacks per month, and this number

has grown in the second half of 2015, before tailing-off at the end ofthe year. There were more notable spikes of activity, as attack durationsbecome shorter and more discreet.

20

MILLION

17

Different attack groups have different preferences for their

DDoS campaigns, and ICMP flood attacks were one of the mainmethods used by the Darkness/Optima botnet. Some methods,particularly amplification attacks, may no longer work thatwell over time. For example, when the media extensively coversa high-profile attack, more people will patch their servers. Inaddition, botnets that were used to perform previous attacksmay be taken down or upgraded to newer versions that providenew functionality.

15

Simple but Effective

12

So why are DDoS attacks so popular? The answer is the same

now as it was when we first wrote about them in December 2002:they are simple to set up, difficult to stop, and very effective.This is truer than ever with the rise of botnets-for-hire.

10752

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC2015

Top Five DDoS Attack Traffic Seen by Symantecs

Global Intelligence NetworkTT The majority of DDoS attacks were ICMP flood attacks, where a large

volume of (typically) ping requests eventually overload the target until it canno longer handle legitimate traffic.

2015 Attacks

2015AttackRate

2014 Attacks

2014AttackRate

Generic ICMPFlood Attack

85.7%

DNSAmplificationAttack

29.4%

Generic TCPSyn FloodDenial ofService Attack

6.4%

Generic ICMPFlood Attack

17.2%

Generic PingBroadcast(Smurf) Denialof ServiceAttack

2.1%

Generic PingBroadcast(Smurf) Denial ofService Attack

16.8%

GenericTeardrop/Land Denial ofService Attack

2.0%

GenericTeardrop/LandDenial of ServiceAttack

7.2%

RFProwl Denialof ServiceAttack

0.6%

Generic ICMPUnreachableDenial of ServiceAttack

5.7%

Botnets-for-hire were implicated in roughly 40 percent of all

DDoS network layer attacks in the second quarter of 2015,according to Incapsula, a Symantec partner. While criminalscan go to the effort of infecting multiple vulnerable devices andcreating their own botnet to carry out DDoS attacks, its oftenmuch easier to hire pre-made botnets for a set amount of time.Prices remained fairly steady in the black market in 2015, whereDDoS attacks can be ordered from just US$10 to US$1,000 perday. The cost to a business will be significantly higher, perhapsas much as a thousand times greater, depending on the natureof the business and the importance of the companys website.In 2015, Incapsula reported a DDoS attack can cost an organization as much as US$40,000 per hour. Consequently the potentialrewards for an attacker successfully holding a company toransom in this way will more than compensate for their costs.For example, one Australian email provider was attacked andattackers demanded a payment of 20 Bitcoins, worth aboutUS$6,600. Another company that paid the demand was soonsubjected to another assault shortly afterwards.

67

TABLE OF CONTENTS

2016 Internet Security Threat Report

CLOUD & INFRASTRUCTURE

Distribution of Network Layer DDoS Attacks

by Duration (Q3)

Distribution of Network Layer DDoS Attacks

by Duration (Q2)

TT The chart shows how by the end of Q2 2015, there were still a significant

TT The chart shows that by the end of Q3, the number of DDoS attacks that

proportion of DDoS attacks that could last for several hours, days, weeks, ormonths even. Chart courtesy of Incapsula.

lasted for more than a day had almost disappeared completely, accountingfor less than half of one percent of all DDoS attacks.Chart courtesy of Incapsula.

70%6050

100%

58%

9080

16

70

40

16

6050

30

40

20

8-7272-996 6-112 20024 2400448 800720720+

<1

48

-4

24

12

<1

-2

12

10

6-

1-

3-

<.5.5-1

10

77%

3020

11

10

<.5

.5-1

81-3

The rise in popularity of DDoS-as-a-service corresponds with

the significant drop in network layer attack duration in the thirdquarter of 2015 compared with the second quarter. Some ofthese DDoS-for-hire services refer to themselves as stressers,because conducting a DDoS attack is illegal, they hide behind aveil, inferring they can be used for stress testing server resilience.

<1

<1

3-6

6-12

12-24

24+

HOURS

HOURS

These shorter hit-and-run style attacks are indicative of a shift

towards the greater use of DDoS being offered as a service,where subscribers are allotted limited access to the overallbotnet resources, which are shared with other subscribers.This will usually be sufficient for them to conduct a few shorter-duration, mid-sized attacks. This can also help the attackersdetermine how effective the target infrastructure is at mitigating such attacks, and whether they need to increase thevolume. Incapsula also reported that 100+ Gbps attacks becamecommonplace and a 100+ Gbps attack was mitigated once everyother day.

Whats in a Botnet?Botnets are key to DDoS attacks, whether theyre hired orcreated by the criminals carrying out the attack. The biggerthe botnet, the more simultaneous requests it can send and themore disruptive the attack will be.But its not just infected PCs that are providing criminals withtheir robot army. In October, we saw malware target MySQLservers, which often offer a much larger bandwidth capacity foran attack than traditional consumer PCs. This method isnt new,but it shows criminals are continuing to create bigger and betterbotnets.In 2015, we also saw criminals making increasing use of theInternet of Things (IoT) to strengthen their botnet ranks. CCTVcameras proved particularly popular, likely because they are oneof the most common IoT devices, with 245 million professionally installed video surveillance cameras active and operationalglobally in 2014.Looking ahead, its likely that criminals will make increasing useof vulnerable IoT devices to execute large-scale DDoS attacks.While solutions exist to mitigate against DDoS attack, organizations will also face new challenges in implementing appropriatesecurity on non-traditional devices to ensure they dont becomepart of the problem. Perhaps more concerning, without the rightsecurity in place, it will be even more difficult to know whenyour printer, or refrigerator, thermostat, or toaster is actuallypart of a toxic global botnet.

68

TABLE OF CONTENTS

2016 Internet Security Threat Report

CONCLUSIONSWhy is Cybersecurity so Important?

Nothing Is Automatically Immune

This is the 21st edition of the Symantec Internet Security Threat

Report and much has changed since the first one. Each year wetake a fresh look at the structure and contents of the report. Aswell as focusing on the threats and reporting the findings fromour research, Symantec also tracks industry trends, and in thereport, we try to highlight the important developments andlook to future trends. This goes beyond just looking at computersystems, smartphones, and other products, and extends intobroad concepts like national security, the economy, data protection, and privacy.

No system is automatically immune from cyber threats, and

in this report, the consequences of ignoring the risks fromcomplacency, negligence, and incompetence are clear. In 2015,an unprecedented number of vulnerabilities were identified aszero-day exploits that have been weaponized, and web attackexploit kits are adapting and evolving them more quickly thanever. As more devices are connected, vulnerabilities will beexploited. Safeguarding Internet-connected devices will becomecritically important to ensuring the safety of industrial controlsystems (ICS) and medical devices in the community.

Cybersecurity Matters

Alongside the rising number of software vulnerabilities, and

the parade of attacks on different systems, the future will bringwith it a greater range of diversity as threats against Windowssystems will extend to other operating systems, mobile, andother IoT devices.

This report takes a high-level view of cybersecurity and Internet

threats, underlining the notable changes and developments.However, we must not forget that cybercrime is not victimless.For example, ransomware locks people out of their computers,holding treasured family photos to ransom, hijacking unfinished manuscripts for novels, and blocking access to tax returns,banking records, and other valuable documents. Moreover,there are no guarantees that paying the ransom will releasethose padlocks. Businesses, as well as home users, have becomevictims, and relying on backups is often the last line of defensewhen cybersecurity should really be the first.Targeted attacks steal invaluable intellectual property frombusinesses, and a data breach can shred an organizations reputationeven threatening its survival. Cyber insurance claimsare growing in number and cost, pushing premiums even higher.In the broadest sense, cybersecurity problems threaten nationalsecurity and economic growth, which ultimately affects us all.

Web Security and the Industrys Responsibility

Updates to protect against such vulnerabilities are releasedregularly, including for SSL/TLS protocol libraries, such asOpenSSL, but website owners still have to install them. Wehave seen in this report and over the past few years that thisis still not happening quickly enough. The number of vulnerable websites continues to persist year after year, with very littleimprovement to show. While the move from SHA-1 certificatesto the much stronger SHA-2 is gaining momentum, organizations must deploy the new certificates properly in order for thechanges to be effective.Criminals continued to find vulnerabilities in the underlyinginfrastructure of website security in 2015, exploiting weaknesses in the underlying encryption systems, allowing attackersto intercept and control secure connections. The wider debatearound security, privacy, and strong encryption will ultimatelyaffect all of us.

Digital Hygiene and a Cleaner Future

In cybersecurity, we often talk about infections and viruses.But the state of ubiquitous attacks, epic data breaches, andadvanced threats we have seen this year suggest that there arebetter medical analogies. Instead of infection, we might think ofdisease both chronic and acute, serious, and benign.Instead of thinking in binary terms of infection-free and compromised, we should move to a wellness model that considerssusceptibility, resilience, wellness, vulnerability to infection,and recoverability. As IT security professionals, we shouldemphasize prevention, detection, and mitigation, as well as acomplete cure. Concepts borrowed from epidemiology, incidentresponse planning, and tools such as security simulation arebecoming more important and useful.For individuals and companies, Internet security is going tobe much more like wellness and hygiene than medicine,and focused on the routine of prevention rather than lookingfor a panacea or cure. We all need to stay digitally healthy anddigitally clean, and habits of security will need to be relearned,over and over again.Similarly, IT departments need to be proactive in reducingthe risk from persistent intrusions and malware, and identifybreaches quickly. Unfortunately, discovering attacks quicklyrequires constant, active vigilance. Information security cantwait for support tickets to open or for a favored security tool toidentify an issue conclusively. Security needs to start diggingthrough the data proactively during non-breach response time.

69

TABLE OF CONTENTS

As an industry, we need to start moving into a more investigative, clinical-study mindset where we are constantly researchingthe habits or artifacts that cause the digital diseases. Takingrisks with cybersecurity will be seen as unacceptable, perhapsanathema akin to driving a car while under the influence ofalcohol.Cybersecurity is not just about employing the right kind oftechnology, it also requires good digital hygiene on the part ofeveryone; both at home, and in the office. Education and greaterawareness of cybersecurity issues will help everyone to becomemore digitally healthy. By being aware of just how many risksyou face, you can reduce them, and learn how to recognizesymptoms, and diagnose digital diseases before they put yourdata, and your customers data at risk. We should reject themisconception that privacy no longer exists. Privacy is precious,and should be protected carefully. For the latest updated figures, please visit:Symantecs Monthly Threat Report

2016 Internet Security Threat Report

70

TABLE OF CONTENTS

2016 Internet Security Threat Report

BEST PRACTICE GUIDELINES FOR BUSINESSES

Employ Defense-in-Depth StrategiesEmphasize multiple, overlapping, and mutually supportivedefensive systems to guard against single-point failures in anyspecific technology or protection method. This should includethe deployment of regularly updated firewalls as well as gatewayantivirus, intrusion detection or protection systems (IPS),website vulnerability with malware protection, and web securitygateway solutions throughout the network.

Antivirus on Endpoints Is Not Enough

On endpoints, it is important to have the latest versions ofantivirus software installed. Deploy and use a comprehensiveendpoint security product that includes additional layers ofprotection, including:TTEndpoint

intrusion prevention that protects unpatched

vulnerabilities from being exploited, protects against socialengineering attacks, and stops malware from reachingendpoints.

TTBrowser

protection for avoiding obfuscated web-based

attacks.TTFile

and web-based reputation solutions that provide a

risk-and-reputation rating of any application and website toprevent rapidly mutating and polymorphic malware.

SSL Certificates with Extended Validation to

recognized trust marks in highly visible

locations on your website to show customers your commitment to their security.

Protect Private Keys

Make sure to get your digital certificates from an established,trustworthy certificate authority that demonstrates excellentsecurity practices. Symantec recommends that organizations:TTUse

separate Test Signing and Release Signing infrastructures.

TTSecure

keys in secure, tamper-proof, cryptographic

hardware devices.

TTImplement

physical security to protect your assets from

theft.

Use Encryption and DLP to Protect Sensitive

DataImplement and enforce a security policy whereby any sensitivedata is encrypted. Ensure that customer data is encrypted aswell. This not only serves to prevent data breaches, but can alsohelp mitigate the damage of potential data leaks from within anorganization.Access to sensitive information should be restricted. Thisshould include a Data Loss Protection (DLP) solution that canhelp prevent data breaches and minimize their impact.TTImplement

a DLP solution that can discover where sensitive

data resides, monitor its use, and protect it from loss.

TTMonitor

the flow of information as it leaves the organization over the network, and monitor traffic to externaldevices or websites.

TTDLP

should be configured to identify and block suspicious

copying or downloading of sensitive data.

TTDLP

should also be used to identify confidential or sensitive

data assets on network file systems and computers.

71

TABLE OF CONTENTS

2016 Internet Security Threat Report

BEST PRACTICE GUIDELINES FOR BUSINESSES

Ensure All Devices Allowed on CompanyNetworks Have Adequate Security ProtectionsIf a bring-your-own-device (BYOD) policy is in place, ensure aminimal security profile is established for any devices that areallowed access to the network.

Implement a Removable Media Policy

Where practical, restrict unauthorized devices, such as externalportable hard-drives and other removable media. Such devicescan both introduce malware and facilitate intellectual propertybreaches, whether intentional or unintentional. If externalmedia devices are permitted, automatically scan them forviruses upon connection to the network and use a DLP solutionto monitor and restrict copying confidential data to unencrypted external storage devices.

Be Aggressive in Updating and Patching

Update, patch, and migrate from outdated and insecurebrowsers, applications, and browser plugins. This also appliesto operating systems, not just across computers, but mobile,ICS, and IoT devices as well. Keep virus and intrusion prevention definitions at the latest available versions using vendorsautomatic updates.Most software vendors work diligently to patch exploitedsoftware vulnerabilities; however, such patches can only beeffective if adopted in the field. Wherever possible, automatepatch deployments to maintain protection against vulnerabilities across the organization.

Enforce an Effective Password Policy

Ensure passwords are strong. Passwords should be at least 8-10characters long and include a mixture of letters and numbers.Encourage users to avoid re-using the same passwords onmultiple websites and sharing passwords with others should beforbidden. Passwords should be changed regularly, at least every90 days.

Restrict Email Attachments

Configure mail servers to block or remove email that containsfile attachments that are commonly used to spread viruses, suchas .VBS, .BAT, .EXE, .PIF, and .SCR files. Enterprises should investigate policies for .PDFs that are allowed to be included as emailattachments. Ensure that mail servers are adequately protectedby security software and that email is thoroughly scanned.

Ensure Infection and Incident Response

Procedures Are in PlaceTTKeep

your security vendor contact information handy; know

who you will call, and what steps you will take if you haveone or more infected systems.

TTEnsure

that a backup-and-restore solution is in place in

order to restore lost or compromised data in the event ofsuccessful attack or catastrophic data loss.

use of post-infection detection capabilities from

infected computers to prevent the risk of further

infection within the organization, and restore using trustedbackup media.

TTIf

network services are exploited by malicious code or some

other threat, disable or block access to those services until apatch is applied.

Educate EmployeesAs ever, basic common sense and the introduction of goodsecurity habits can go a long way to keeping sites and serverssafe this year.TTDo

not open attachments unless they are expected and

come from a known and trusted source, and do not executesoftware that is downloaded from the Internet (if suchactions are permitted) unless from a trusted source or thedownload has been scanned for malware.

Ensure Regular Backups Are Available

TTBe

cautious when clicking on URLs in emails or social media

programs, even when coming from trusted sources andfriends.

Create and maintain regular backups of critical systems, as

well as endpoints. In the event of a security or data emergency,backups should be easily accessible to minimize downtime ofservices and employee productivity.

then to use common sense. Having antivirus and

employees to raise the alarm if they see anything

suspicious. For example, if Windows users see a warningindicating that they are infected after clicking on aURL or using a search engine (indicative of fake antivirusinfections), educate users to close or quit the browser usingAlt-F4, CTRL+W or to use the task manager, and then notifythe helpdesk.

Protect Mobile Devices

We recommend that people and employers treat mobiledevices like the small, powerful computers that they are andprotect them accordingly using:TTAccessTTData

control, including biometrics where possible.

loss prevention, such as on-device encryption.

TTAutomatedTTRemote

device backup.

find and wipe.

TTRegular

updating. For example, the latest version of

Android, codenamed Honeycomb, includes a number offeatures designed specifically to thwart attackers.

TTCommon

sense. Dont jailbreak devices and only use trusted

app markets.

TTTraining,

particularly around paying attention to permissions requested by an app.

TTSecurity

solutions such as Symantec Mobility or Norton

Mobile Security

We have seen the number of mobile vulnerabilities increase

every year over the past three yearsalthough this is perhapsan indicator of progress rather than a cause for despair. Itis an indication that security researchers, operating systemdevelopers and app writers are, in fact, paying more attentionto mobile security by identifying and fixing more problems.Although we expect mobile devices to come under growingattack over the next year, there is also hope that with the right

preventative measures and continuing investment in security,

users can achieve a high level of protection against them.

Building Security into Devices

The diverse nature of ICS and IoT platforms make host-basedintrusion detection systems (IDS) and intrusion preventionsystems (IPS), with customizable rulesets and policies that areunique to a platform and application, suitable solutions.However, manufacturers of ICS and IoT devices are largelyresponsible for ensuring that security is built into the devicesbefore shipping.Building security directly into the software and applicationsthat run on the ICS and IoT devices should prevent manyattacks that manage to side-step defenses at the upper layers.Manufacturers should adopt and integrate such principlesinto their software development processes.Business users and consumers need to be assured thatsuppliers are fundamentally building security into the IoTdevices that they are buying, rather than it being consideredas a bolt-on option.

Its a Team Effort

Consumer confidence is built up over multiple interactionsacross numerous websites owned by countless different organizations. But it only takes one bad experience of stolen dataor a drive-by download to tarnish the reputation of everywebsite in the consumers mind.As we said at the start of the report, there is a real opportunity in the coming year to reduce the number of successfulweb attacks and limit the risks websites potentially pose toconsumers, but it will take commitment and action fromwebsite owners for it to become a reality.Adopt Complete Website Security in 2016, and together withSymantec, make it a good year for cybersecurity and a verybad one for cybercriminals.

73

TABLE OF CONTENTS

2016 Internet Security Threat Report

BEST PRACTICE GUIDELINES FOR WEBSITE OWNERS

For website security to be effective, it has to be implemented withcare and attention and it has to be monitored and maintainedcontinually.While there are tools to help you keep your website ecosystemsecure, it all starts with education. Youve read about the risksnow find out what you can do about them.

Get in line with industry standards

always-on SSL. Implement SSL/TLS on everypage of your website so that every interaction a visitor haswith your site is encrypted. Switching to HTTPS everywhere,as its also called, with OV or EV SSL/TLS certificates demonstrates your credibility and can also improve your searchrankings and paves the way for an upgrade to HTTP/2, delivering better performance.

TTImplement

to SHA-2. As discussed in the report, certificate

authorities should have stopped issuing SHA-1 certificates asof 1 January 2016, but you need to ensure any legacy certificates are also upgraded and that any devices and applicationsthat may not currently recognize SHA-2 are upgraded too.

TTMigrate

adopting ECC. Symantec also offers the use of the

ECC encryption algorithm. All major browsers, even mobile,support ECC certificates on all the latest platforms, andcompared to an industry-standard 2048-bit RSA key, 256-bitECC keys are 64,000 times harder to crack.

TTConsider

Use SSL/TLS Correctly

SSL/TLS is only as good as its implementation and maintenance.So be sure to:protocol libraries up to date. SSL/TLS implementationis an on-going task and its vital that any patches or updatesto the software you use are implemented as soon as possible.

TTKeep

let your certificates expire. Keep track of what certificates you have, from which certificate authority, and whenthey are due to expire. Symantec offers a range of automationtools to help you do this, giving you more time for proactivesecurity tasks.

TTDont

recognized trust marks. Display trust marks (such as

the Norton Secured Seal) in highly visible locations on yourwebsite to show customers your commitment to their security.

TTDisplay

Manage your SSL/TLS keys properly. Limit the number of people

with access to them; have separate administrators for managingthe passwords for the server where theyre kept and for managingthe systems theyre actually stored in; and use automated certificate and key management systems to reduce human involvement.Any breach affecting SSL keys should be notified to the CAquickly, so that corresponding certificates can be revoked.

picky about your plugins. The software you use to manage

the whole ecosystem. Have you deployed a Web

Application Firewall to defend against injection attacks? Isyour code signing secure for your web apps? Do you haveautomated tools to detect and defend against the increasinglycommon problem of DDoS attacks?

TTConsider

Symantec offers a range of tools that makes maintaining complete

website security a straightforward and efficient task.

Avoid Compromising Trusted Relationships with

Customers by:TTRegularly

assessing your website for any vulnerabilities.

TTScanning

your website daily for malware.

TTSetting

the secure flag for all session cookies.

TTSecuring

your websites against man-in-the-middle (MITM)

attacks and malware infection.

TTChoosing

SSL Certificates with Extended Validation to

display the green browser address bar to website users.

TTDisplaying

recognized trust marks in highly visible locations

on your website to show customers your commitment totheir security.

There Is No I in TeamConsumer confidence is built up over multiple interactions acrossnumerous websites owned by countless different organizations. Itonly takes one bad experience to tarnish the reputation of everysingle one in the consumers mind.As we said in the report, there exists a real opportunity in thecoming year to reduce the number of successful web attacks andlimit the risks your website potentially poses to consumers, butit will take commitment and action from website owners for it tobecome a reality.Adopt comprehensive website security in 2016 and, together withSymantec, make it a good year for cyber security and a very badone for cybercriminals.

74

TABLE OF CONTENTS

2016 Internet Security Threat Report

20 CRITICAL SECURITY CONTROLS

OverviewThe Council on Cybersecurity 20 Critical Security Controls is aprioritized list designed to provide maximum benefits towardimproving risk posture against real-world threats. This list of 20control areas grew out of an international consortium of U.S. andinternational agencies and experts, sharing from actual incidentsand helping to keep it current against evolving global cybersecurity threats. Led by the Center for Internet Security (CIS), the CISCritical Security Controls (the Controls) have been matured byan international community of individuals and institutions, andwere updated in 2015 to version six. For more information pleaserefer to the documentation found at http://www.cisecurity.org/critical-controls.Many organizations face the challenges and increasing threatsto their cybersecurity by strategically choosing a securitycontrols framework as a reference for initiating, implementing,measuring and evaluating their security posture, and managing

risk. Over the years, many security control frameworks have beendeveloped (for example, NIST), with the common goal of offeringcombined knowledge and proven guidance for protecting criticalassets, infrastructure, and information. Based on the information we have today about attacks and threats, what are the mostimportant steps that enterprises should take now to securesystems and data?The Critical Security Controls are designed to provide organizations the information necessary to increase their securityposture in a consistent and ongoing fashion. The Controls are arelatively small number of prioritized, well-vetted, and supportedset of security actions that organizations can take to assess andimprove their current security state.To implement the Controls you must understand what is criticalto your business, data, systems, networks, and infrastructures,and you must consider the adversary actions that could impactyour ability to be successful in the business or operations.

TOP 5 PRIORITIESWe emphasize the use of the first fiveControls for every organization. Thishelps establish a foundation of securityand has the most immediate impact onpreventing attacks. From this foundationorganizations can apply other Controlsas they meet the business need of theorganization.In the following pages you will see a tablethat outlines the areas identified in theISTR and ties them to Critical SecurityControls:

01

Inventory of Authorizedand Unauthorized DevicesActively manage (inventory, track, andcorrect) all hardware devices on thenetwork so that only authorized devicesare given access, and unauthorizedand unmanaged devices are found andprevented from gaining access.

02

04

Inventory of Authorized and

Unauthorized Software

Continuous VulnerabilityAssessment and Remediation

Actively manage (inventory, track, and

correct) all software on the network sothat only authorized software is installedand can execute, and that unauthorizedand unmanaged software is found andprevented from installation or execution.

Continuously acquire, assess, and take action

on new information in order to identifyvulnerabilities, remediate, and minimizethe window of opportunity for attackers.

03

Secure Configurations for

Hardware and Software onMobile Devices, Laptops,Workstations, and ServersEstablish, implement, and actively manage(track, report on, correct) the securityconfiguration of laptops, servers, andworkstations using a rigorous configurationmanagement and change control process inorder to prevent attackers from exploitingvulnerable services and settings.

05

Controlled Use ofAdministrative PrivilegesThe processes and tools used to track/control/prevent/correct the use,assignment, and configuration ofadministrative privileges on computers,networks, and applications.

75

TABLE OF CONTENTS

2016 Internet Security Threat Report

CRITICAL CONTROLS06

Maintenance, Monitoring,and Analysis of Audit LogsCollect, manage, and analyze auditlogs of events that could help detect,understand, or recover from an attack.

07

Email and Web Browser

ProtectionsMinimize the attack surface and theopportunities for attackers to manipulatehuman behavior though their interactionwith web browsers and email systems.

08

Malware DefensesControl the installation, spread,and execution of malicious code atmultiple points in the enterprise, whileoptimizing the use of automation toenable rapid updating of defense, datagathering, and corrective action.

09

Limitation and Control of Network

Ports, Protocols, and ServicesManage (track/control/correct) theongoing operational use of ports,protocols, and services on networkeddevices in order to minimize windowsof vulnerability available to attackers.

10

Data Recovery Capability

The processes and tools used to properlyback up critical information with a provenmethodology for timely recovery of it.

11

Secure Configurations for

Network Devices such asFirewalls, Routers, and SwitchesEstablish, implement, and actively manage(track, report on, correct) the securityconfiguration of network infrastructuredevices using a rigorous configurationmanagement and change control process inorder to prevent attackers from exploitingvulnerable services and settings.

Data ProtectionThe processes and tools used to preventdata exfiltration, mitigate the effects ofexfiltrated data, and ensure the privacyand integrity of sensitive information.

14

Controlled Access Based

on the Need to KnowThe processes and tools used to track/control/prevent/correct secure accessto critical assets (e.g., information,resources, and systems) according to theformal determination of which persons,computers, and applications have a needand right to access these critical assetsbased on an approved classification.

15

Wireless Access Control

The processes and tools used to track/control/prevent/correct the security useof wireless local area networks (LANS),access points, and wireless client systems.

16

Account Monitoring and Control

Keep attackers from impersonatinglActively manage the life cycle ofsystem and application accounts theircreation, use, dormancy, and deletion- in order to minimize opportunitiesfor attackers to leverage them.

17

Security Skills Assessment and

Appropriate Training to Fill GapsFor all functional roles in the organization(prioritizing those mission critical tothe business and its security), identify thespecific knowledge, skills, and abilitiesneeded to support defense of the enterprise;develop and execute an integrated planto assess, identify gaps, and remediatethrough policy, organizational planning,training, and awareness programs.

18

Application Software Security

Manage the security life cycle ofall in-house developed and acquiredsoftware in order to prevent, detect,and correct security weaknesses.

19

Incident Responseand ManagementProtect the organizations information,as well as its reputation, by developingand implementing an incident responseinfrastructure (e.g., plans, defined roles,training, communications, managementoversight) for quickly discovering anattack and then effectively containingthe damage, eradicating the attackerspresence, and restoring the integrityof the network and systems.

20

Penetration Testsand Red Team ExercisesTest the overall strength of an organizationsdefenses (the technology, the processes,and the people) by simulating theobjectives and actions of an attacker.

76

TABLE OF CONTENTS

2016 Internet Security Threat Report

CRITICAL CONTROL PROTECTION PRIORITIES

HARDENDEFENSES

REDUCEIMPACT

18

01 02 06 08 15

05 10 13

17

14 18

01 02 06 08 15

05 09 12

17

03 04 07 18

01 02 06 08 16

05 09 10 12

SOCIAL MEDIA& EMAIL THREATS

03 04 07

01 02 08 20

05 10 12

TARGETED ATTACKS& SPEAR PHISHING

03 04 07 11

01 02 06 08 16

05 09 10 12 13

20

17

01 02 06 15 16

05 09 10 12 13

20

17

01 02 06 08 16

05 09 10 12 13

20

17

01 02 06 08 15

05 09 10 12 13

16 20

17

01 02 06 08 16

05 09 10 12 13

20

17

01 02 06 08 20

05 09 12

MOBILE DEVICES

INTERNET OF THINGS

WEB-BASED THREATS

DATA BREACHES

E-CRIME & MALWARE

CLOUD &INFRASTRUCTUREWEB SERVERS

DDOS & BOTNETS

03 04 07 11

ENHANCEDETECTION

03 04 11

14

1803 04 07 11

14

1803 04 07 11

14

1803 04 11

03 04 11

03 04 11

14 18

14 18

18

17

17

19

19

19

19

1917

19

77

TABLE OF CONTENTS

2016 Internet Security Threat Report

BEST PRACTICE GUIDELINES FOR CONSUMERS

Protect YourselfUse a modern Internet security solution that includes thefollowing capabilities for maximum protection against maliciouscode and other threats:TTAntivirus

Be Wary of Scareware Tactics

Versions of software that claim to be free, cracked, or piratedcan expose you to malware or social engineering attacks thatattempt to trick you into thinking your computer is infected andgetting you to pay money to have it removed.

Use an Effective Password Policy

Ensure that passwords are a mix of letters and numbers, andchange them often. Passwords should not consist of words fromthe dictionary. Do not use the same password for multiple applications or websites.Use complex passwords (upper/lowercase and punctuation).Passphrases and password management apps can help too.

Think Before You Click

Never view, open, or copy email attachments to your desktop orexecute any email attachment unless you expect it and trust thesender. Even when receiving email attachments from trustedusers, be suspicious.

TTBe

cautious when clicking on URLs in emails or social media

communications, even when coming from trusted sourcesand friends. Do not blindly click on shortened URLs withoutexpanding them first using a preview tool or plugin.

TTUse

a web browser plugin or URL reputation site that shows

the reputation and safety rating of websites before visiting.

TTBe

suspicious of search engine results; only click through

to trusted sources when conducting searches, especially ontopics that are hot in the media.

TTBe

suspicious of warnings that pop up asking you to install

aware of files you make available for sharing on public

sites, including gaming, BitTorrent, and any other peer-topeer (P2P) exchanges. Keep Dropbox, Evernote, and otherusages to a minimum for pertinent information only, andonly use when approved for corporate use.

Safeguard Your Personal Data

Limit the amount of personal information you make publiclyavailable on the Internet (in particular via social networks).This includes personal and financial information, such as banklogins or birth dates. Additionally:TTRegularly

2016 Internet Security Threat Report

ABOUT SYMANTECSymantec Corporation is the global leader in cybersecurity. Operatingone of the worlds largest cyber intelligence networks, we see morethreats, and protect more customers from the next generation of attacks.We help companies, governments and individuals secure their mostimportant data wherever it lives.